基于表单的身份验证 [英] Form Based Authentication

问题描述

我有编程Java应用程序的经验，但是从来没有任何Web应用程序，因此xml对我而言相对较新.我在研究中学到了很多东西，但是目前我很沮丧，希望大家能帮助我.

上下文:我工作的公司雇用了一家承包商来开发库存软件.开发人员选择在公司的Intranet上创建一个Web应用程序(根本不连接到Internet).几个月后，由于进行了一些修改，开发人员出于未知原因(至少对我而言)退出了该项目.所以在这里，我使用.war文件进行反向工程，然后完成项目！

我已经配置了Tomcat和MS SQL Server，根据Netbeans的说法，所有连接都很好.我可以部署该应用程序，但是这是我遇到的困难. index.jsp包含一个login.jsp.查看这些页面的代码让我感到困惑.

据我所知，开发人员正在使用基于表单的身份验证，以便在登录时确定用户角色.我完全不了解这段代码是如何重定向到任何页面的，更不用说什么了:

<form method="POST" action='<%= response.encodeURL("j_security_check") %>' >
    <table border="0" cellspacing="5">
    <tr>
        <td>
            Username:<br>
            <input type="text" name="j_username" style="width: 200px;">
        </td>
    </tr>
    <tr>
        <td>
            Password:<br>
            <input type="password" name="j_password" style="width: 200px;">
        </td>
    </tr>
    <tr>
        <td><br></br><input type="submit" value="Log In" class="buttonStyle"> <input type="reset" class="buttonStyle"></td>
    </tr>
    </table>
</form>

具体地说，是什么告诉应用程序登录好坏?单击按钮时由什么处理事件?

感谢您的耐心配合和帮助！

解决方案

通读 Java Servlet规范，特别是第13.6.3节.阅读规范听起来很吓人，但是Java Servlet规范是我读过的最易读的书之一:它是由程序员而非律师阅读的.

快速摘要是，当用户尝试访问受保护的页面(尚未经过身份验证)时，将向他们显示登录页面. 提交"按钮将用户名和密码发布到执行身份验证(检查用户名/密码)的servlet容器(Tomcat)，然后返回登录页面(如果用户名/密码不正确)或将用户重定向回转到他们最初请求的受保护页面.

这里发生的事情并不明显，因为容器(Tomcat)正在为您处理它.阅读规范(实际上是整个过程)将使您对一切工作原理有深刻的了解，并使您更好地准备接受您继承的这段代码.

更新2014-10-22 13:45 EDT

要确定执行的身份验证类型，您需要在Web应用程序的META-INF/context.xml文件或Tomcat的conf/server.xml中查找嵌套在Web应用程序的<Context>元素中的<Realm>元素.它将指示所使用的领域的类型(通常是conf/tomcat-users.xml的内存"，或表示身份验证信息在关系数据库中的DataSource/JDBC).

规范没有涵盖任何领域"内容.为此，您必须参考Tomcat文档，或一般加入Tomcat用户列表和社区.

I have experience programming Java Applications but never any Web Apps so xml is relatively new to me. I've learned quite a bit in my research but I'm currently stumped and hopefully you all can help me out.

Context: The company I work for hired a contractor to develop software for inventory. The developer chose to create a web app on the company's intranet (not connected to Internet at all). Several months and a handful of revisions down the road, the developer quit working on the project for unknown reasons (to me, at least). So here I am using a .war file to reverse engineer and then finish the project!

I've configured Tomcat and MS SQL Server and all connections are good according to Netbeans. I can deploy the app but here is where I get stuck. The index.jsp contains a login.jsp. Looking at the code for these pages has me confused.

As best I can tell, the developer was going for Form Based Authentication so that user roles are determined at login. I don't understand how this code redirects to any page at all, much less does anything:

<form method="POST" action='<%= response.encodeURL("j_security_check") %>' >
    <table border="0" cellspacing="5">
    <tr>
        <td>
            Username:<br>
            <input type="text" name="j_username" style="width: 200px;">
        </td>
    </tr>
    <tr>
        <td>
            Password:<br>
            <input type="password" name="j_password" style="width: 200px;">
        </td>
    </tr>
    <tr>
        <td><br></br><input type="submit" value="Log In" class="buttonStyle"> <input type="reset" class="buttonStyle"></td>
    </tr>
    </table>
</form>

Specifically, what tells the app that a login is good or bad? What handles the events when the buttons are clicked?

I appreciate your patience and help!

解决方案

Take a read through the Java Servlet Specification, specifically section 13.6.3. Reading a spec sounds scary, but the Java Servlet Spec is one of the most readable I've ever read: it's meant to be read by programmers and not by lawyers.

The quick summary is that when a user tries to access a protected page (and haven't yet authenticated), they are presented with the login page. The "submit" button posts the username and password to the servlet container (Tomcat) which performs the authentication (checks the username/password) and either goes back to the login page (if the username/password were incorrect) or redirects the user back to the protected page they originally requested.

There's some stuff going on here that isn't obvious because the container (Tomcat) is handling it for you. Reading the spec -- the whole thing, actually -- will give you great insight into how everything works and will make you much better prepared to babysit this code you've inherited.

Update 2014-10-22 13:45 EDT

To determine the type of authentication that is being performed, you need to look for a <Realm> element in your web applications' META-INF/context.xml file, or in Tomcat's conf/server.xml, nested inside your web application's <Context> element. It will indicate the type of realm being used (usually "Memory" which is for conf/tomcat-users.xml, or DataSource/JDBC which indicate that the authentication information is in a relational database, etc.).

None of the "realm" stuff is covered by the spec. For that, you'll have to refer to the Tomcat documentation, or join the Tomcat users' list and the community in general.

这篇关于基于表单的身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！