jboss and jaas--BBS卓大苹果园站--北京卓大经济管理学院
来源:百度文库 编辑:神马文学网 时间:2024/06/30 19:46:10
jboss and jaas
作者: hofman 军衔: 上尉 发表时间: 2004-06-20 22:47:17
http://members.capmac.org/~orb/blog.cgi/tech/java/jaas_jboss.htmlI have a good bit of experience in authentication systems. Back when I wrote LDAP servers for living, I spent a lot of time working on LDAP authentication modules for apache, PAM and other systems. As a Java coder, I've had to code several authentication and single sign on systems over the years, but I've only recently had the chance to try the Sun blessed JAAS in a project. I needed to port a web application from a proprietary web container to JBoss, and authentication was a big part of that.
It turns out to be amazingly simple to use JAAS in JBoss. That's no surprise as everything is amazingly simple in JBoss if you are lucky enough to be able to find documentation for your task. In JBoss, adding an authentication system is as simple as providing a LoginModule implementation. You can tell JBoss about a new LoginModule by simply adding a directive to conf/login-config.xml. The format is straightforward.
JBoss provides a number of ready to use modules including authentication against LDAP servers, relational databases and properties files. If none of the provided modules work, you can always write your own module from scratch or extend one of the abstract modules. In this particular project, user names and passwords are stored in a relational database. However, the passwords are base64 encoded, (why? I don't know) and so I couldn't use the DatabaseServerLoginModule directly. DatabaseServerLoginModule has a convenient hook for this, so I simply need to provide a subclass that looks something like the following.
public class MyLoginModule
extends DatabaseServerLoginModule
{
protected String convertRawPassword(String password)
{
try {
return new String((new sun.misc.BASE64Decoder()).decodeBuffer(password));
} catch (IOException e) {
return password;
}
}
}
My login-config.xml contains the following.
After that, configuring the application to use the new authentication module was as simple as adding "
A few notes to make like with JAAS in JBoss a bit simpler:
If your LoginModule has problems (bad configuration, for example), JBoss isn't very good at warning you. You'll have to turn logging up to make sure you see the errors. JBoss will silently switch to the "other" module (defined in login-config.xml) without telling you.
The documentation suggest that you can place an applications specific login-config.xml in your ear file, but I wasn't able to make it work. However, even though you provide the LoginModule definition in the global login-config.xml, you can still provide the implementation classes in your ear/war file. (you don't have to deploy the LoginModule separately)
The JMX console provides information about your JAAS modules under "service=XMLLoginConfig". From the console, invoke displayAppConfig with the name of your your application policy. If your module doesn't come up, you know it's not being seen.
Your JAAS modules will also show up under the java:/jaas namespace. (Use the list method on service=JNDIView to view this) However, you can't interact with them from the JNDIView.
»回复此文章 Admin
Re:jboss
作者: hofman 军衔: 上尉 发表时间: 2004-06-20 23:09:02
http://www.javaworld.com/javaforums/showflat.php?Cat=2&Board=JavaSecurity&Number=2500&page=2&view=collapsed&sb=5&o=&fpart=1make JDBC setting as per ur need
JAAS Configuration
1. Database
Create following table:
a. Principals table consists of usernames (PrincipalID) and their passwords.
CREATE TABLE Principals (PrincipalID VARCHAR (64) PRIMARY KEY,
Password VARCHAR (64))
Insert data
INSERT INTO Principals VALUES ('java', 'echoman')
INSERT INTO Principals VALUES ('duke', 'javaman')
b. Roles table consists of usernames (PrincipalID) and their Role and the
RoleGroup they belong.
CREATE TABLE Roles (PrincipalID VARCHAR (64), Role
VARCHAR (64), RoleGroup VARCHAR (64))
Insert data
INSERT INTO Roles VALUES ('java', 'Echo', 'Roles')
INSERT INTO Roles VALUES ('java', 'caller_java', 'CallerPrincipal')
INSERT INTO Roles VALUES ('duke', 'Java', 'Roles')
INSERT INTO Roles VALUES ('duke', 'Coder', 'Roles')
INSERT INTO Roles VALUES ('duke', 'caller_duke', 'CallerPrincipal')
INSERT INTO Roles VALUES ('duke', 'Echo', 'Roles')
2. login-config.xml
This file is located in jboss-3.2.1\server\default\conf
a. add the following lines
flag="required"]
3. jboss-web.xml
Create a file jboss-web.xml and place the following code
<jboss-web>
jboss-web>
example2 is the name of the security domain which we specified in application policy of login-config.xml
Copy this file in your applications WEB-INF folder
4. auth.conf
Create a file auth.conf and place it in jboss-3.2.1\client.
client-login
{
org.jboss.security.ClientLoginModule required;
};
example2
{
org.jboss.security.ClientLoginModule required;
org.jboss.security.auth.spi.DatabaseServerLoginModule required;
};
5. auth.conf
Create another auth.conf and place it in jboss-3.2.1\server\default\conf
// The JBoss server side JAAS login config file for the examples
client-login
{
org.jboss.security.ClientLoginModule required;
};
example2
{
org.jboss.security.ClientLoginModule required;
org.jboss.security.auth.spi.DatabaseServerLoginModule
required
dsJndiName="java:/SybaseDB"
principalsQuery="Select Password from Principals where PrincipalID =?"
rolesQuery="Select Role 'Roles', RoleGroup 'RoleGroups' from Roles where PrincipalID =?"
;
};
5. jndi
Path jboss-3.2.1\server\default\conf
java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
# Do NOT uncomment this line as it causes in VM calls to go over
# RMI!
java.naming.provider.url=localhost:1099
#localhost
6. web.xml
Place the following code in your web.xml.(Change it according to your application requirements).
// the role which can access these resources
//the login page in case of Basic authentication
//the login page in case of form based authentication
7. login.jsp
<%@ page contentType="text/html; charset=UTF-8" %>
<%@ page language="java" %>
<%
response.setHeader("Cache-Control","no-cache"); // HTTP 1.1
response.setHeader("Pragma","no-cache"); // HTTP 1.0
response.setDateHeader ("Expires", -1); // Prevents caching at the proxy server
%>