如何在weblogic 中对EJB 使用角色权限控制 java教程

在开发者角度来说，应用程序本身只需定义那些角色”role” 可访问哪些方法， 具体的角色与实际系统中用户的映射关系由deployer 来定义。

一. application.xml 定义需要用到的role

<?xml version="1.0" encoding="utf-8"?>
<!doctype application public ´-//sun microsystems, inc.//dtd j2ee application 1.3//en´ ´http://java.sun.com/dtd/application_1_3.dtd´>
<application>
  <display-name>ejbtest</display-name>
  <module>
    <ejb>ejbtest.jar</ejb>
  </module>
  <security-role>
    <description></description>
    <role-name>myrole1</role-name>
  </security-role>
</application>

二. weblogic-application.xml 把系统用户(springview)映射到role(myrole1)

<!doctype weblogic-application public ´-//bea systems, inc.//dtd weblogic application 8.1.0//en´ ´http://www.bea.com/servers/wls810/dtd/weblogic-application_2_0.dtd´>
<weblogic-application>
  <security>
    <security-role-assignment>
      <role-name>myrole1</role-name>
      <principal-name> springview </principal-name>
    </security-role-assignment>
  </security>

  <application-param>
    <param-name>webapp.encoding.default</param-name>
    <param-value>utf-8</param-value>
  </application-param>
  <classloader-structure>
  </classloader-structure>

</weblogic-application>

三. ejb-jar.xml 定义了那些方法可被那些角色访问

<ejb-jar>
  <enterprise-beans>
    <session>
      <ejb-name>ses</ejb-name>
      <home>src.seshome</home>
      <remote>src.ses</remote>
      <ejb-class>src.sesbean</ejb-class>
      <session-type>stateless</session-type>
      <transaction-type>container</transaction-type>
      <security-role-ref>
        <!-- 定义了可在程序中使用的不变的myrole映射名称 -->
 <role-name>myrole1</role-name>
 <role-link>myrole1</role-link>
      </security-role-ref>
    </session>
  </enterprise-beans>
  <assembly-descriptor>
 <!-- 这一段必须要有，定义了在这个ejb 中要使用角色的logicname -->
    <security-role>
      <role-name>myrole1</role-name>
    </security-role>
    <method-permission>
    <!-- 定义了method2 只能由myrole1 来访问，如果用户以springview名义通过jndi 来lookup 这个ejb 即具有myrole1 角色 -->
      <role-name>myrole1</role-name>     
      <method>
        <ejb-name>ses</ejb-name>
        <method-intf>remote</method-intf>
        <method-name>method2</method-name>
      </method>
    </method-permission>
    <method-permission>
      <role-name>myrole1</role-name>
      <method>
        <ejb-name>ses</ejb-name>
        <method-intf>remote</method-intf>
        <method-name>method1</method-name>
      </method>
    </method-permission>
  </assembly-descriptor>

</ejb-jar>

四. 建立用springview用户登陆 jndi 的initialcontext， 通过该initialcontext 进行lookup 操作的资源或对象（如:ejb） 都具有springview用户身份

private static context getinitialcontext() throws exception {
     string url = "t3://localhost:7001";
     string user = " springview ";//"test";
     string password = " springview1234";//"test";
     properties properties = null;
     try {
       properties = new properties();
       properties.put(context.initial_context_factory, "weblogic.jndi.wlinitialcontextfactory");
       properties.put(context.provider_url, url);
       if (user != null) {
         properties.put(context.security_principal, user);
         properties.put(context.security_credentials, password == null ? "" : password);
       }

       return new initialcontext(properties);
     }
     catch(exception e) {
       //log("unable to connect to weblogic server at " + url);
       //log("please make sure that the server is running.");
       throw e;
      //e.printstacktrace() ;
     }
   }