简体繁体 English

适用于Windows和Linux的Jaas登录模块

[英]Jaas Login Module for Windows & Linux

原文 2012-04-15 07:41:09 4 2 java/ jaas

Can somebody work on jaas login modules. 有人可以从事jaas登录模块吗？ I was going through docs & my understanding is there is ntlogin module, unix login module comes with sun-jdk. 我正在浏览文档，我的理解是有ntlogin模块，unix登录模块是sun-jdk附带的。

I want to is these login module can 1. Authenticate with OS users 2. Provide groups of that user. 我要的是这些登录模块可以1.通过OS用户进行身份验证2.提供该用户的组。

basically I want to authenticate with os. 基本上我想通过os进行身份验证。 Input is username, password & group name. 输入的是用户名，密码和组名。 I want to know if username, password combination is right & user belong to that group. 我想知道用户名，密码组合是否正确以及用户是否属于该组。

I want to authenticate with windows & popular linux distros such as RHEL, Suse, CentOS. 我想通过Windows和流行的Linux发行版（例如RHEL，Suse，CentOS）进行身份验证。

I dont want to do LDAP authentication only os authentication. 我不想仅执行LDAP身份验证进行os身份验证。

For windows, there is waffle library available. 对于Windows，有可用的华夫饼干库。 But I am not able to authenticate when using 64bit machine. 但是使用64位计算机时，我无法进行身份验证。 On 32bit it runs fine. 在32bit上运行良好。

For linux, there is jpam, but it doesn't give group. 对于linux，有jpam，但没有给出分组。 It will just check username, password combinateion. 它将只检查用户名，密码组合。

2 个解决方案

As far as I remember JAAS is about Java code and vm related authorization: is current running code authorized to do something? 据我所记得，JAAS是关于Java代码和与vm相关的授权的：当前正在运行的代码是否被授权做某事？

I think it's easier to use some os native wrapping scripts to authenticate user and then just extract user info in your Java code. 我认为使用某些os native包装脚本来对用户进行身份验证然后在Java代码中提取用户信息会更容易。

I was looking for the same thing. 我在找同样的东西。 So far I've found that the Unix "login module" actually doesn't do any authentication; 到目前为止，我发现Unix的“登录模块”实际上不进行任何身份验证。 it creates Principals for the process' owner's user and group, and adds them to the Subject. 它为流程所有者的用户和组创建委托人，并将其添加到主题。 This makes it fairly useless for, say, authenticating webapp sessions. 例如，这对于验证Webapp会话相当无用。

You are going to need native code to authenticate OS credentials, but it should be possible to hook that into JAAS. 您将需要本机代码来验证OS凭据，但是应该可以将其挂接到JAAS中。 It makes sense to make that native code into a small and simple external helper program (like one of the many 'checkpasswd' programs that come with similar frameworks to solve the same problem) because it will need elevated privileges to gain access to the stored keys. 将本机代码变成一个小型且简单的外部帮助程序（例如，带有类似框架的多个“ checkpasswd”程序之一，以解决同一问题）是有意义的，因为它将需要提升的特权才能访问存储的密钥。