[英]What's wrong with this LoginModule? And how to authenticate users with JAAS in Jboss EAP 6.1?
I'm trying to implement an authentication/authorization module just for check username and password, in a Java EE application with JAAS. 我正在尝试使用JAAS在Java EE应用程序中实现用于检查用户名和密码的身份验证/授权模块。 I'm using Jboss EAP 6.1 to deploy. 我正在使用Jboss EAP 6.1进行部署。 But I get 403 (Access Denied) after use LoginModule in all pages for my webapp. 但是在我的webapp的所有页面中使用LoginModule后,我得到403(拒绝访问)。 My LoginModule is hard coded to check "user123" and "pass123", and put a "admin" role to my user. 我的LoginModule是硬编码的,用于检查“user123”和“pass123”,并为我的用户设置“admin”角色。
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
public class LoginMod implements LoginModule {
private CallbackHandler handler;
private Subject subject;
private UserPrincipal userPrincipal;
private RolePrincipal rolePrincipal;
private String login;
private List<Principal> userGroups;
private boolean succeeded = false;
@Override
public void initialize(
Subject subject,
CallbackHandler callbackHandler,
Map<String, ?> sharedState,
Map<String, ?> options)
{
handler = callbackHandler;
this.subject = subject;
}
@Override
public boolean login() throws LoginException
{
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("login");
callbacks[1] = new PasswordCallback("password", true);
try {
handler.handle(callbacks);
String name = ((NameCallback) callbacks[0]).getName();
String password = String.valueOf(((PasswordCallback) callbacks[1])
.getPassword());
if (name != null &&
name.equals("user123") &&
password != null &&
password.equals("pass123")) {
System.out.println("\t\t[LoginMod] login:"+name);
login = name;
userGroups = new ArrayList<Principal>();
userGroups.add(new RolePrincipal("admin"));
succeeded = true;
return true;
}
throw new LoginException("Authentication failed");
} catch (IOException e) {
throw new LoginException(e.getMessage());
} catch (UnsupportedCallbackException e) {
throw new LoginException(e.getMessage());
}
}
@Override
public boolean commit() throws LoginException
{
if (succeeded == false) {
return false;
} else {
userPrincipal = new UserPrincipal(login);
subject.getPrincipals().add(userPrincipal);
if (userGroups != null && userGroups.size() > 0) {
for (Principal role : userGroups) {
rolePrincipal = new RolePrincipal(role.getName());
subject.getPrincipals().add(rolePrincipal);
}
}
System.out.println("\t\t[LoginMod] subject contains the role:"+
subject.getPrincipals().contains(rolePrincipal));
return true;
}
}
@Override
public boolean abort() throws LoginException
{
System.out.println("\t\t[LoginMod] Aborted" );
return false;
}
@Override
public boolean logout() throws LoginException
{
subject.getPrincipals().remove(userPrincipal);
subject.getPrincipals().remove(rolePrincipal);
return true;
}
}
I create a security domain and put a reference for this module in my standalone.xml: 我创建了一个安全域,并在我的standalone.xml中为此模块添加了一个引用:
<security-domains>
<security-domain name="acfwebRealm" cache-type="default">
<authentication>
<login-module code="acfweb.autenticacao.teste.LoginMod" flag="required"/>
</authentication>
</security-domain>
</security-domains>
And declare the realm in my app a jboss-web.xml file: 并在我的应用程序中声明一个jboss-web.xml文件:
<?xml version='1.0' encoding='UTF-8'?>
<jboss-web>
<context-root>acfweb</context-root>
<security-domain>acfwebRealm</security-domain>
</jboss-web>
In my web.xml I have: 在我的web.xml中,我有:
<welcome-file-list>
<welcome-file>interfaces/pages/index.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Usuarios Autenticados</web-resource-name>
<url-pattern>/interfaces/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>acfwebRealm</realm-name>
<form-login-config>
<form-login-page>/logar.xhtml</form-login-page>
<form-error-page>/logar.xhtml</form-error-page>
</form-login-config>
</login-config>
I create a j_ form to use the LoginModule, and this calls my LoginModule correctly. 我创建一个j_表单来使用LoginModule,这会正确调用我的LoginModule。
<form method="post" action="j_security_check">
<h:panelGrid columns="2">
<h:outputLabel value="Username: " />
<input type="text" id="j_username" name="j_username" />
<h:outputLabel value="Password: " />
<input type="password" id="j_password" name="j_password" />
<h:outputText value="" />
<h:panelGrid columns="1">
<input type="submit" name="submit" value="Login" />
</h:panelGrid>
</h:panelGrid>
<br />
</form>
After sending the form data my server console show me the LoginModule sysout log: 发送表单数据后,我的服务器控制台显示LoginModule sysout日志:
INFO [stdout](http-/127.0.0.1:8080-2) [LoginMod] login:user123
INFO [stdout](http-/127.0.0.1:8080-2) [LoginMod] subject contains the role true
And then I get 403 (Access Denied), for all pages after that. 然后我得到403(拒绝访问),之后的所有页面。
Actually I don't need to authenticate my users in database, or an external LDAP, because I have another service available for this. 实际上,我不需要在数据库或外部LDAP中验证我的用户,因为我有另一个可用的服务。 Maybe I don't need an complete security module using JAAS, but I need control my users by roles in my EJBS, without send data representing my users in every call from Managed Beans to EJBs, captured by a Servlet filter eg Anyone could help me? 也许我不需要使用JAAS的完整安全模块,但是我需要通过我的EJBS中的角色来控制我的用户,而不是在从Managed Beans到EJB的每次调用中发送代表我的用户的数据,由Servlet过滤器捕获,例如任何人都可以帮助我? What I'm doing wrong in this LoginModule? 我在这个LoginModule中做错了什么? What is my options for described requirements? 对描述的要求有什么选择?
Try changing your jboss-web.xml 尝试更改jboss-web.xml
<jboss-web>
<security-domain>java:/jaas/acfwebRealm</security-domain>
</jboss-web>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.