Java开发网 Java开发网
注册 | 登录 | 帮助 | 搜索 | 排行榜 | 发帖统计  

您没有登录

» Java开发网 » Java Security » 精华区  

按打印兼容模式打印这个话题 打印话题    把这个话题寄给朋友 寄给朋友    该主题的所有更新都将Email到你的邮箱 订阅主题
flat modethreaded modego to previous topicgo to next topicgo to back
话题被移动
该话题已被移动 - menzy , 2004-05-09 08:23
如果您尚不清楚该话题被移动的原因,请参考论坛规则以及本版公告或者联系本版版主。
作者 关于J2EE登录方式的问题,高手请进 [精华]
wuliang





发贴: 46
积分: 20
于 2004-04-27 14:41 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
先说说J2EE中web应用的安全:
web应用有四种标准登录方式,BASIC,DIGEST,FORM,CLIENT-CERT
登录完成认证(1)的工作,登录后可以通过角色获取服务HttpServletRequest.getUserPrincal()/isUserInRole(),得到用户的principal(相当于登录帐号)和角色信息
另外在web.xml中配置了受保护的资源,和允许访问的角色信息,J2EE容器收到请求后,检查所需的role,再结合比较前面的角色服务isUserInRole(),判断授权(2)

(1)Authentication(处理user-role关系)和(2)Authorization(处理role-resource关系)构成了web应用的安全架构。


作者 Re:关于J2EE登录方式的问题,高手请进 [Re:wuliang]
wuliang





发贴: 46
积分: 20
于 2004-04-27 14:44 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
现在的问题是,公司采用自己的登录方式(拟用CAS,完成SSO单点登录,不知道没关系,反正是自己的登录方式),又要让HttpServletRequest.getUserPrincal()/isUserInRole()返回正确结果,应该怎么结合,有可能吗?
重点是让HttpServletRequest.getUserPrincal()/isUserInRole()返回正确结果,因为授权(2)是依赖这个方法的,这样授权部分就不用重做(公司也要求必须用J2EE授权,不能自己开发授权模块)

换一种问法,就是J2EE除了basic、form等登录机制,有没有提供扩展,能和用户自己的登录机制关联起来?

wuliang edited on 2004-04-28 10:15

作者 Re:关于J2EE登录方式的问题,高手请进 [Re:wuliang]
wuliang





发贴: 46
积分: 20
于 2004-04-27 14:48 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
我们也想过一些办法,
首先,重载HttpServletRequest.getUserPrincal()/isUserInRole()是不现实的,这两个方法在servlet 2.3规格中提出,由J2EE产品实现,自己当然可以去写,但容器是不会调用你的重载的。
之前考虑用CAS,现在发现好像结合不起来?现在又考虑JAAS,不过各个J2EE产品对JAAS Realm的支持是不同的,weblogic 8要求是胖客户端,tomcat 5以下不支持,说起来tomcat 5算先进的了,可能意识到BASIC,DIGEST,FORM,CLIENT-CERT这几种登录方式不够吧:

JAASRealm is prototype for Tomcat of the proposed JAAS-based J2EE authentication framework for J2EE v1.4, based on the JCP Specification Request 196 to enhance container-managed security and promote 'pluggable' authentication mechanisms whose implementations would be container-independent.

--Tomcat-5.0/webapps/tomcat-docs/realm-howto.html#JAASRealm


作者 Re:关于J2EE登录方式的问题,高手请进 [Re:wuliang]
wuliang





发贴: 46
积分: 20
于 2004-04-27 14:51 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
我个人是否认这种设计的,因为最后肯定要对每个J2EE产品做不同的开发,版本不同也不兼容,与其这样,不如自己重写登录跟授权
偏偏上头标榜这是标准的做法,符合J2EE规范,搞到我们一点办法没有,只能硬着头皮做,sigh~

麻烦高手指点一二了,多谢!


作者 Re:关于J2EE登录方式的问题,高手请进 [Re:wuliang]
wuliang





发贴: 46
积分: 20
于 2004-04-27 17:37 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
下午看J2EE 1.4规格书,发现上面描述有些错误,不过问题还是那个问题:
1.4要求实现必须提供三种登录机制:basic,SSL Mutual,Form Base
web容器似乎叫servlet 容器更合适,呵呵,虽然做了好些时间,看规格书还是第一次*^_^*
tomcat4不是不支持JAASRealm,而是不带这个实现

wuliang edited on 2004-04-28 09:55

作者 Re:关于J2EE登录方式的问题,高手请进 [Re:wuliang]
mfc42d





发贴: 116
积分: 30
于 2004-04-29 16:53 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
只作过CA,没用过JAAS


作者 Re:关于J2EE登录方式的问题,高手请进 [Re:wuliang]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2004-04-29 21:31 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
not sure what you are trying to do.

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:关于J2EE登录方式的问题,高手请进 [Re:wuliang]
wuliang





发贴: 46
积分: 20
于 2004-04-30 09:43 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
>not sure what you are trying to do.
就是说web.xml里可以配置授权信息,限制什么url-pattern可以被什么role访问
要使这些授权信息起作用,同时要配置登录方式,就是指定basic或form的方式登录(也就是J2EE规定的认证方式)
现在我们用了自己的登录方式(自己的认证方式),web.xml里的授权信息就不起作用了

有什么办法,用自己的登录方式,同时web.xml里的授权配置还能起作用?

不知道这么说清楚没?


作者 Re:关于J2EE登录方式的问题,高手请进 [Re:wuliang]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2004-05-04 23:12 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
http://www.onjava.com/pub/a/onjava/2002/06/12/form.html

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:关于J2EE登录方式的问题,高手请进 [Re:wuliang]
wuliang





发贴: 46
积分: 20
于 2004-05-08 08:40 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
这些东西我知道,form方式必须用j_security_check,j_username,j_password
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
</form>

但是我现在用:
<form method="POST" action="login.cgi">
<input type="text" name="name">
<input type="password" name="password">
</form>

我的login怎么能通知“容器”我已经登录了?也就是HttpServletRequest.getUserPrincipal.getName要返回我的登录名
我的感觉就是自己的login,没法和容器挂钩,getUserPrincipal只承认basic,form,mutual登录……不是绝对确定


作者 Re:关于J2EE登录方式的问题,高手请进 [Re:wuliang]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2004-05-10 10:33 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
If your container is fixed, read the doc to see whether there is a way to do so. At the servlet spec level, I am not aware of anything. But I do know there are several servlet containers that can do this.

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:关于J2EE登录方式的问题,高手请进 [Re:wuliang]
east





发贴: 9
积分: 0
于 2004-06-26 03:10 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
<<<
但是我现在用:
<form method="POST" action="login.cgi">
<input type="text" name="name">
<input type="password" name="password">
</form>

我的login怎么能通知“容器”我已经登录了?也就是HttpServletRequest.getUserPrincipal.getName要返回我的登录名
我的感觉就是自己的login,没法和容器挂钩,getUserPrincipal只承认basic,form,mutual登录……不是绝对确定
>>>

Your proposed solution seems not correct. I don't like to spend time on analyzing your solution. But I would show you a working solution. Frankly I am not quire familiar with any other J2EE Application Server (AS) except Weblogic.
Now let me take WLS 6.1 as an example then you may follow my process to do on other platforms (servers).
In your case, you'd better use so called "Custom Realm". WLS provides its user interfaces (abstract classes may be more appropriate). So what you need to do is to extend them. Sounds simple? Maybe not really.
Specifically, you need to design three classes, e.g., MyUser extends User, MyGroup extends FlatGroup, and MyRealm extends AbstractListableRealm and implements RefreshableRealm, DebuggableRealm (if you want to debug your realm implementation in runtime env).

User and Group are very straightfoward. Only in realm, there are some tricks. In MyRealm default constructor, you may initialize resources for later uses. The key point is the method of authenticate(String userName, String passWord) with a return boolean value. Now you can put your real authentication stuff here. e.g. pass in the userName/passWord into a CGI script or something by using URL (java class). Then you can determine that boolean value based on the returned result or the value you parse from the returned message.

The authenticated user is then loaded into MyUser. Next, you have to define getUser(), getUsers(), getGroup(), getGroups(), and etc. Nothing is diffcult here because all these methods are required in super classes.

Finally, you need to use admin console to configure your custom realm. That's easy to do.

The remianing tasks, regarding web.xml, shoudn't be hard. You can put url pattern to protect your resources in the tag of <web-resource-collection>, put your list of roles in the tag of <auth-constraint>, each role name should be defined in <security-role>, and etc.

After users log in the system, getRemoteUser(), getPrincipal(), isInRole(), and etc should work for you.

I know my response might be late for you. But maybe it helps to someone else.



flat modethreaded modego to previous topicgo to next topicgo to back
  已读帖子
  新的帖子
  被删除的帖子
Jump to the top of page

   Powered by Jute Powerful Forum® Version Jute 1.5.6 Ent
Copyright © 2002-2021 Cjsdn Team. All Righits Reserved. 闽ICP备05005120号-1
客服电话 18559299278    客服信箱 714923@qq.com    客服QQ 714923