Java 什么';这个登录模块怎么了?以及如何在Jboss EAP 6.1中使用JAAS对用户进行身份验证?
我正试图在一个带有JAAS的JavaEE应用程序中实现一个身份验证/授权模块,用于检查用户名和密码。我正在使用Jboss EAP 6.1进行部署。但在我的webapp的所有页面中使用LoginModule后,我得到403(拒绝访问)。我的LoginModule硬编码为检查“user123”和“pass123”,并为我的用户设置“admin”角色Java 什么';这个登录模块怎么了?以及如何在Jboss EAP 6.1中使用JAAS对用户进行身份验证?,java,jakarta-ee,jboss,ejb,jaas,Java,Jakarta Ee,Jboss,Ejb,Jaas,我正试图在一个带有JAAS的JavaEE应用程序中实现一个身份验证/授权模块,用于检查用户名和密码。我正在使用Jboss EAP 6.1进行部署。但在我的webapp的所有页面中使用LoginModule后,我得到403(拒绝访问)。我的LoginModule硬编码为检查“user123”和“pass123”,并为我的用户设置“admin”角色 import javax.security.auth.Subject; import javax.security.auth.callback.*; i
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
public class LoginMod implements LoginModule {
private CallbackHandler handler;
private Subject subject;
private UserPrincipal userPrincipal;
private RolePrincipal rolePrincipal;
private String login;
private List<Principal> userGroups;
private boolean succeeded = false;
@Override
public void initialize(
Subject subject,
CallbackHandler callbackHandler,
Map<String, ?> sharedState,
Map<String, ?> options)
{
handler = callbackHandler;
this.subject = subject;
}
@Override
public boolean login() throws LoginException
{
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("login");
callbacks[1] = new PasswordCallback("password", true);
try {
handler.handle(callbacks);
String name = ((NameCallback) callbacks[0]).getName();
String password = String.valueOf(((PasswordCallback) callbacks[1])
.getPassword());
if (name != null &&
name.equals("user123") &&
password != null &&
password.equals("pass123")) {
System.out.println("\t\t[LoginMod] login:"+name);
login = name;
userGroups = new ArrayList<Principal>();
userGroups.add(new RolePrincipal("admin"));
succeeded = true;
return true;
}
throw new LoginException("Authentication failed");
} catch (IOException e) {
throw new LoginException(e.getMessage());
} catch (UnsupportedCallbackException e) {
throw new LoginException(e.getMessage());
}
}
@Override
public boolean commit() throws LoginException
{
if (succeeded == false) {
return false;
} else {
userPrincipal = new UserPrincipal(login);
subject.getPrincipals().add(userPrincipal);
if (userGroups != null && userGroups.size() > 0) {
for (Principal role : userGroups) {
rolePrincipal = new RolePrincipal(role.getName());
subject.getPrincipals().add(rolePrincipal);
}
}
System.out.println("\t\t[LoginMod] subject contains the role:"+
subject.getPrincipals().contains(rolePrincipal));
return true;
}
}
@Override
public boolean abort() throws LoginException
{
System.out.println("\t\t[LoginMod] Aborted" );
return false;
}
@Override
public boolean logout() throws LoginException
{
subject.getPrincipals().remove(userPrincipal);
subject.getPrincipals().remove(rolePrincipal);
return true;
}
}
然后我得到403(拒绝访问),这之后的所有页面
实际上,我不需要在数据库或外部LDAP中验证我的用户,因为我有另一个服务可用于此目的。也许我不需要使用JAAS的完整安全模块,但我需要通过EJB中的角色来控制我的用户,而不需要在从托管bean到EJB的每次调用中发送代表我用户的数据,这些数据由Servlet过滤器捕获,例如,有人可以帮助我吗?我在这个登录模块中做错了什么?对于所描述的需求,我有哪些选择?尝试更改jboss-web.xml
<jboss-web>
<security-domain>java:/jaas/acfwebRealm</security-domain>
</jboss-web>
java:/jaas/acfwebRealm
<?xml version='1.0' encoding='UTF-8'?>
<jboss-web>
<context-root>acfweb</context-root>
<security-domain>acfwebRealm</security-domain>
</jboss-web>
<welcome-file-list>
<welcome-file>interfaces/pages/index.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Usuarios Autenticados</web-resource-name>
<url-pattern>/interfaces/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>acfwebRealm</realm-name>
<form-login-config>
<form-login-page>/logar.xhtml</form-login-page>
<form-error-page>/logar.xhtml</form-error-page>
</form-login-config>
</login-config>
<form method="post" action="j_security_check">
<h:panelGrid columns="2">
<h:outputLabel value="Username: " />
<input type="text" id="j_username" name="j_username" />
<h:outputLabel value="Password: " />
<input type="password" id="j_password" name="j_password" />
<h:outputText value="" />
<h:panelGrid columns="1">
<input type="submit" name="submit" value="Login" />
</h:panelGrid>
</h:panelGrid>
<br />
</form>
INFO [stdout](http-/127.0.0.1:8080-2) [LoginMod] login:user123
INFO [stdout](http-/127.0.0.1:8080-2) [LoginMod] subject contains the role true
<jboss-web>
<security-domain>java:/jaas/acfwebRealm</security-domain>
</jboss-web>