使用 j_security_check 在 Java EE/JSF 中执行用户身份验证 [英] Performing user authentication in Java EE / JSF using j_security_check

查看:43
本文介绍了使用 j_security_check 在 Java EE/JSF 中执行用户身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想知道关于使用 JSF 2.0(如果存在任何组件)和 Java EE 6 核心机制(登录/检查权限/注销)的 Web 应用程序的用户身份验证的当前方法是保留用户信息在 JPA 实体中.Oracle Java EE 教程在这方面有点稀疏(仅处理 servlet).

I'm wondering what the current approach is regarding user authentication for a web application making use of JSF 2.0 (and if any components do exist) and Java EE 6 core mechanisms (login/check permissions/logouts) with user information hold in a JPA entity. The Oracle Java EE tutorial is a bit sparse on this (only handles servlets).

这是没有使用整个其他框架,如 Spring-Security (acegi) 或 Seam,但如果可能的话,尝试坚持使用新的 Java EE 6 平台(Web 配置文件).

This is without making use of a whole other framework, like Spring-Security (acegi), or Seam, but trying to stick hopefully with the new Java EE 6 platform (web profile) if possible.

推荐答案

在网上搜索并尝试了许多不同的方法后,以下是我对 Java EE 6 身份验证的建议:

After searching the Web and trying many different ways, here's what I'd suggest for Java EE 6 authentication:

就我而言,我在数据库中有用户.所以我按照这篇博文创建了一个 JDBC 领域,它可以根据我的数据库表中的用户名和 MD5 哈希密码对用户进行身份验证:

In my case, I had the users in the database. So I followed this blog post to create a JDBC Realm that could authenticate users based on username and MD5-hashed passwords in my database table:

http://blog.gamatam.com/2009/11/jdbc-realm-setup-with-glassfish-v3.html

注意:该帖子讨论了数据库中的用户和组表.我有一个 User 类,其 UserType 枚举属性通过 javax.persistence 注释映射到数据库.我为用户和组配置了同一个表的领域,使用 userType 列作为组列,它工作正常.

Note: the post talks about a user and a group table in the database. I had a User class with a UserType enum attribute mapped via javax.persistence annotations to the database. I configured the realm with the same table for users and groups, using the userType column as the group column and it worked fine.

还是照着上面的博文,配置好你的web.xml和sun-web.xml,不过不是用BASIC认证,而是用FORM(其实你用哪一个都无所谓,但我最后用的是FORM).使用标准 HTML ,而不是 JSF .

Still following the above blog post, configure your web.xml and sun-web.xml, but instead of using BASIC authentication, use FORM (actually, it doesn't matter which one you use, but I ended up using FORM). Use the standard HTML , not the JSF .

然后使用上面 BalusC 的提示,从数据库中延迟初始化用户信息.他建议在托管 bean 中执行此操作,从面部上下文中获取主体.相反,我使用有状态会话 bean 来存储每个用户的会话信息,因此我注入了会话上下文:

Then use BalusC's tip above on lazy initializing the user information from the database. He suggested doing it in a managed bean getting the principal from the faces context. I used, instead, a stateful session bean to store session information for each user, so I injected the session context:

 @Resource
 private SessionContext sessionContext;

通过主体,我可以检查用户名,并使用 EJB 实体管理器从数据库中获取用户信息并将其存储在我的 SessionInformation EJB 中.

With the principal, I can check the username and, using the EJB Entity Manager, get the User information from the database and store in my SessionInformation EJB.

我还四处寻找注销的最佳方式.我发现的最好的方法是使用 Servlet:

I also looked around for the best way to logout. The best one that I've found is using a Servlet:

 @WebServlet(name = "LogoutServlet", urlPatterns = {"/logout"})
 public class LogoutServlet extends HttpServlet {
  @Override
  protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
   HttpSession session = request.getSession(false);

   // Destroys the session for this user.
   if (session != null)
        session.invalidate();

   // Redirects back to the initial page.
   response.sendRedirect(request.getContextPath());
  }
 }

尽管考虑到问题的日期,我的回答真的很晚,但我希望这能帮助其他像我一样从 Google 来到这里的人.

Although my answer is really late considering the date of the question, I hope this helps other people that end up here from Google, just like I did.

巧,

维托·索萨

这篇关于使用 j_security_check 在 Java EE/JSF 中执行用户身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆