如何使用Jersey Client对启用了JAAS的Web服务器进行身份验证？ [英] How can you authenticate using the Jersey Client against a JAAS enabled web-server?

问题描述

我有以下情况：

服务器：Jetty（已配置JAAS）

Server: Jetty (with configured JAAS)

客户端：泽西岛通过JUnit调用（通过Maven）

Client: Jersey invoked via JUnit (via Maven)

我在Web服务器中设置了JAAS。我使用客户端部分作为测试。

I have JAAS set up in the web server. I am using the client part as a test.

在服务器端，用户通过具有通过JAAS处理的基本身份验证的表单进行身份验证。显然，用户需要先进行身份验证才能查看某些页面。

On the server side users are authenticated through a form with Basic authentication handled via JAAS. Obviously, users need to be authenticated before being able to view certain pages.

我希望能够在尝试访问安全页面之前通过Jersey登录。如何才能做到这一点？我已经检查过你可以定义一个过滤器，但我不太清楚如何使用它。并且 - 一旦用户通过表单登录，我该如何进行（从客户端）到我真正感兴趣的页面？

I would like to be able to login via the Jersey before trying to access a secured page. How can this be done? I have checked that you can define a filter, but I'm not quite sure how to use that. And -- once the user is logged in via the form, how can I proceed (from the client-side) to the page I'm actually interested in?

I我真的很感激，如果有人能告诉我如何在客户端使用Jersey进行此操作。

I would really appreciate it, if somebody could show me an example how this is done on the client side with Jersey.

我有以下JUnit测试用例方法：

I have the following JUnit test case method:

@Test
public void testLogin()
        throws IOException
{
    String URL_LOGIN = "http://localhost:9080/foo/auth.html";
    Client client = Client.create();

    String username = "me";
    String password = "me";

    final HTTPBasicAuthFilter authFilter = new HTTPBasicAuthFilter(username, password);
    client.addFilter(authFilter);
    client.addFilter(new LoggingFilter());

    WebResource webResource = client.resource(URL_LOGIN);
    // I even tried:
    // webResource.header("Authorization", "Basic " + "base64encoded_userid:password").type("application/xml");

    String page = webResource.post(String.class);

    System.out.println(page);
}

请注意：

1） http：// localhost：9080 / foo / auth.html 是我应该是的页面看到成功的身份验证。

1) http://localhost:9080/foo/auth.html is the page I am supposed to be seeing upon successful auth.

2）我实际上看到了 http的输出：// localhost：9080 / foo / login.html 。

2) I am actually seeing the output of http://localhost:9080/foo/login.html.

3）显然，通过浏览器，我可以通过login.html页面成功登录。

3) Obviously, through a browser, I can successfully login via the login.html page.

我在这里似乎错过了什么？

What do I seem to be missing out here?

推荐答案

使用Basic auth，您根本不需要访问任何登录页面。如果服务器配置为使用Basic auth，那么如果在请求中包含基本auth标头，则可以向任何受保护页面发出请求。泽西过滤器负责这一点。所以，如果Basic auth真的是服务器正在使用的，那么你的代码应该可以工作。

With Basic auth you don't need to go to any login page at all. If the server is configured to use Basic auth, then you can make requests to any protected page if you include the basic auth header in your requests. The Jersey filter takes care of that. So, if Basic auth would really be what the server is using, then your code should work.

鉴于它不起作用，它的工作方式不起作用我很漂亮确保服务器配置为使用基于表单的身份验证而不是基本身份验证。

Given it does not work and the way it does not work I am pretty sure the server is configured to use form-based authentication instead of the basic authentication.

要使基于表单的身份验证起作用，您必须发送一个帖子请求使用包含用户名和密码的表单数据登录，然后将从服务器收到的cookie设置为后续请求（因为服务器 - 一旦登录 - 将设置会话cookie）。

For the form-based authentication to work, you'll have to send a post request with form data including user name and password to log in and then set cookies you receive from the server to your subsequent requests (since the server - once you log in - will set the session cookie).

查看login.html的外观 - 它应该包含一个表单。如果它使用标准servlet格式auth。，那个表单的操作URL应该是j_security_check，并且应该有两个表单参数：j_username和j_password。如果是这种情况，您可以尝试以下内容：

Look at how the login.html looks like - it should contain a form. If it is using the standard servlet form auth., the action URL of that form should be "j_security_check" and there should be two form parameters: j_username and j_password. If that is the case, you can try something like the following:

String URL_LOGIN = "http://localhost:9080/foo/j_security_check";
String URL_DATA = "http://localhost:9080/foo/auth.html";
Client client = Client.create();

// add a filter to set cookies received from the server and to check if login has been triggered
client.addFilter(new ClientFilter() {
    private ArrayList<Object> cookies;

    @Override
    public ClientResponse handle(ClientRequest request) throws ClientHandlerException {
        if (cookies != null) {
            request.getHeaders().put("Cookie", cookies);
        }
        ClientResponse response = getNext().handle(request);
        // copy cookies
        if (response.getCookies() != null) {
            if (cookies == null) {
                cookies = new ArrayList<Object>();
            }
            // A simple addAll just for illustration (should probably check for duplicates and expired cookies)
            cookies.addAll(response.getCookies());
        }
        return response;
    }
});

String username = "me";
String password = "me";

// Login:
WebResource webResource = client.resource(URL_LOGIN);

com.sun.jersey.api.representation.Form form = new Form();
form.putSingle("j_username", username);
form.putSingle("j_password", password);
webResource.type("application/x-www-form-urlencoded").post(form);

// Get the protected web page:
webResource = client.resource(URL_DATA);
String response = webResource.get(String.class);

我没有测试过这个，所以可能会有一些拼写错误或错误。

I haven't tested this, so maybe there will be some typos or bugs.

这篇关于如何使用Jersey Client对启用了JAAS的Web服务器进行身份验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！