如何在weblogic 中对EJB 使用角色权限控制

在开发者角度来说，应用程序本身只需定义那些角色”role” 可访问哪些方法， 具体的角色与实际系统中用户的映射关系由deployer 来定义。

一. application.xml 定义需要用到的Role

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE application PUBLIC '-//Sun Microsystems, Inc.//DTD J2EE Application 1.3//EN' 'http://java.sun.com/dtd/application_1_3.dtd'>

<application>

<display-name>EjbTest</display-name>

<module>

<ejb>EjbTest.jar</ejb>

</module>

<security-role>

<description></description>

<role-name>MyRole1</role-name>

</security-role>

</application>

二. weblogic-application.xml 把系统用户(springview)映射到Role(MyRole1)

<!DOCTYPE weblogic-application PUBLIC '-//BEA Systems, Inc.//DTD WebLogic Application 8.1.0//EN' 'http://www.bea.com/servers/wls810/dtd/weblogic-application_2_0.dtd'>

<weblogic-application>

<security>

<security-role-assignment>

<role-name>MyRole1</role-name>

<principal-name> springview </principal-name>

</security-role-assignment>

</security>

<application-param>

<param-name>webapp.encoding.default</param-name>

<param-value>UTF-8</param-value>

</application-param>

<classloader-structure>

</classloader-structure>

</weblogic-application>

三. ejb-jar.xml 定义了那些方法可被那些角色访问

<ejb-jar>

<enterprise-beans>

<session>

<ejb-name>Ses</ejb-name>

<home>src.SesHome</home>

<remote>src.Ses</remote>

<ejb-class>src.SesBean</ejb-class>

<session-type>Stateless</session-type>

<transaction-type>Container</transaction-type>

<security-role-ref>

<!-- 定义了可在程序中使用的不变的MyRole映射名称 -->

<role-name>MyRole1</role-name>

<role-link>MyRole1</role-link>

</security-role-ref>

</session>

</enterprise-beans>

<assembly-descriptor>

<!-- 这一段必须要有，定义了在这个ejb 中要使用角色的logicname -->

<security-role>

<role-name>MyRole1</role-name>

</security-role>

<method-permission>

<!-- 定义了method2 只能由MyRole1 来访问，如果用户以springview名义通过jndi 来lookup 这个ejb 即具有MyRole1 角色 -->

<role-name>MyRole1</role-name>

<method>

<ejb-name>Ses</ejb-name>

<method-intf>Remote</method-intf>

<method-name>method2</method-name>

</method>

</method-permission>

<method-permission>

<role-name>MyRole1</role-name>

<method>

<ejb-name>Ses</ejb-name>

<method-intf>Remote</method-intf>

<method-name>method1</method-name>

</method>

</method-permission>

</assembly-descriptor>

</ejb-jar>

四. 建立用springview用户登陆 jndi 的InitialContext， 通过该InitialContext 进行lookup 操作的资源或对象（如:ejb） 都具有springview用户身份

private static Context getInitialContext() throws Exception {

String url = "t3://localhost:7001";

String user = " springview ";//"test";

String password = " springview1234";//"test";

Properties properties = null;

try {

properties = new Properties();

properties.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");

properties.put(Context.PROVIDER_URL, url);

if (user != null) {

properties.put(Context.SECURITY_PRINCIPAL, user);

properties.put(Context.SECURITY_CREDENTIALS, password == null ? "" : password);

}

return new InitialContext(properties);

}

catch(Exception e) {

//log("Unable to connect to WebLogic server at " + url);

//log("Please make sure that the server is running.");

throw e;

//e.printStackTrace() ;

}

}