Websphere 8.5中使用JAASRealm的自定义LoginModule
[英]Custom LoginModule with JAASRealm in Websphere 8.5
问题描述
I developed a LoginModule who implements javax.security.auth.spi.LoginModule, and I use the org.apache.catalina.realm.JAASRealm. 
我开发了一个实现javax.security.auth.spi.LoginModule的LoginModule,并使用org.apache.catalina.realm.JAASRealm。 There is any way to utilize this solution on Websphere Application Server 8.5? 有什么方法可以在Websphere Application Server 8.5上使用此解决方案?
I read some articles saying that I need to set my loginModule in the WEB_INBOUND. 我读了一些文章,说我需要在WEB_INBOUND中设置我的loginModule。 I tried this, and the application starts to request authentication, but the authorization didn't work. 我尝试了此操作,该应用程序开始请求身份验证,但授权不起作用。 I guess because the JAASRealm doesn't exist on WAS, there is any similar Realm to WAS? 我猜是因为WAS中不存在JAASRealm,所以有与WAS类似的领域吗? How should I configure that? 我应该如何配置?
One more question, when I configure the WEB_INBOUND, the console Admin also uses my loginModule to authenticate, can I use my LoginModule only on my application? 还有一个问题,当我配置WEB_INBOUND时,控制台管理员还使用我的loginModule进行身份验证,我可以仅在应用程序上使用LoginModule吗?
1 个解决方案
解决方案1
1 2015-02-19 13:07:23
Using login modules is a bit complicated, so I usually recommend to avoid that if possible. 使用登录模块有点复杂,因此我通常建议尽可能避免这种情况。 WAS provides support for some user registries out of the box like File, LDAP, custom, proprietary DB. WAS为某些用户注册表提供了开箱即用的支持,例如文件,LDAP,自定义,专有DB。 Check it out, if it will be sufficient for you. 检查一下是否足够。 If you need to customize login process, it is usually easier to use TAI (trusted associated interceptor) rather than login module, as it is easier to program it to be active for certain apps only. 如果您需要自定义登录过程,通常使用TAI(受信任的关联拦截器)要比登录模块更容易,因为将其编程为仅对某些应用程序处于活动状态比较容易。
You didn't write what is your customization in the login module, so its hard to recommend best solution. 您没有在登录模块中编写您的自定义内容,因此很难推荐最佳解决方案。
For authorization to work with login module, you either need to have configured registry with the groups/users for which you are creating subject, or assert full subject in the login module, check details in links below. 要使用登录模块进行授权,您需要使用正在为其创建主题的组/用户配置注册表,或者在登录模块中声明完整的主题,请查看以下链接中的详细信息。
As to separate administration security (console) from application security - it is fairly easy in the WAS ND (Network deployment) configuration, where you have separate server for management (deployment manager) - you just create separate security domain, and assign it to servers serving your application. 至于将管理安全性(控制台)与应用程序安全性分开-在WAS ND(网络部署)配置中相当容易,在该配置中,您具有用于管理的单独服务器(部署管理器)-您只需创建单独的安全域并将其分配给服务器服务您的应用程序。
In Base(single server) configuration, you cant do that as security settings are per JVM. 在基本(单服务器)配置中,您不能这样做,因为安全设置是针对每个JVM的。 You could try some workarounds via separate server or admin agent, but setup is more complex, and I didn't test that, so I'm speculating. 您可以通过单独的服务器或管理代理尝试一些解决方法,但是设置更加复杂,并且我没有对此进行测试,因此我推测。
You may use WSServletRequestCallback or WSAppContextCallback in your LoginModule and do your customizations only for your application. 您可以在LoginModule中使用WSServletRequestCallback或WSAppContextCallback ,并且仅对应用程序进行自定义。
You can also create a copy of WEB_INBOUND, and customize that copy. 您还可以创建WEB_INBOUND的副本,然后自定义该副本。 But to use it, you would need customized login page/process and invoke that login config programmatically. 但是要使用它,您将需要自定义的登录页面/进程并以编程方式调用该登录配置。
See also: 也可以看看:
- Developing custom login modules for a system login 开发用于系统登录的自定义登录模块
- Configuring inbound identity mapping - see hashtable login here 配置入站身份映射 -请在此处查看哈希表登录
- Invoking JAAS config programmatically 以编程方式调用JAAS配置
- Using TAI for Subject creation 使用TAI进行主题创建
- Supported user registries 支持的用户注册表
- Multiple security domains 多个安全域
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.