使用j_security_check执行用户身份验证的Java EE / JSF [英] Performing user authentication in Java EE / JSF using j_security_check
问题描述
我想知道什么目前的做法是关于Web应用程序利用的JSF 2.0(如果任何组件确实存在)和Java EE 6的核心机制,用户认证(登录/检查权限/注销)用户信息持有在JPA实体。甲骨文的Java EE教程是关于这个(只处理servlet的)。
I'm wondering what the current approach is regarding user authentication for a web application making use of JSF 2.0 (and if any components do exist) and Java EE 6 core mechanisms (login/check permissions/logouts) with user information hold in a JPA entity. The Oracle Java EE tutorial is a bit sparse on this (only handles servlets).
这是的无利用完全是另外一个框架,比如Spring-安全(Acegi的),或者Seam的,而是试图用新的Java EE 6平台(网络配置文件)希望坚持如果可能的话
This is without making use of a whole other framework, like Spring-Security (acegi), or Seam, but trying to stick hopefully with the new Java EE 6 platform (web profile) if possible.
推荐答案
在网上搜索并尝试许多不同的方式后,这里是我建议对Java EE 6的认证:
After searching the Web and trying many different ways, here's what I'd suggest for Java EE 6 authentication:
在我的情况,我在数据库中的用户。于是我跟着这个博客帖子创建JDBC领域,可以验证基于用户名和MD5哈希密码在我的数据库表的用户:
In my case, I had the users in the database. So I followed this blog post to create a JDBC Realm that could authenticate users based on username and MD5-hashed passwords in my database table:
<一个href=\"http://blog.gamatam.com/2009/11/jdbc-realm-setup-with-glassfish-v3.html\">http://blog.gamatam.com/2009/11/jdbc-realm-setup-with-glassfish-v3.html
注:有关在数据库中的用户和组表后举行了会谈。我有一个User类通过javax.persistence注释数据库映射一个UserType枚举属性。我配置了用户和组相同的表领域,使用用户等级和积分列小组列,它工作得很好。
Note: the post talks about a user and a group table in the database. I had a User class with a UserType enum attribute mapped via javax.persistence annotations to the database. I configured the realm with the same table for users and groups, using the userType column as the group column and it worked fine.
不过按照上述博客文章,配置,但而不是使用基本身份验证,使用形式(实际上,这不要紧,你用哪一个,但我结束了使用FORM web.xml和sun-web.xml中)。使用标准的HTML,而不是JSF。
Still following the above blog post, configure your web.xml and sun-web.xml, but instead of using BASIC authentication, use FORM (actually, it doesn't matter which one you use, but I ended up using FORM). Use the standard HTML , not the JSF .
然后使用BalusC的尖端上方懒初始化从数据库中的用户信息。他建议做一个托管bean获得从faces上下文的主体。我用,相反,有状态会话bean来存储每个用户的会话信息,所以我注入会话上下文:
Then use BalusC's tip above on lazy initializing the user information from the database. He suggested doing it in a managed bean getting the principal from the faces context. I used, instead, a stateful session bean to store session information for each user, so I injected the session context:
@Resource
private SessionContext sessionContext;
通过校长,我可以检查用户名,并使用EJB实体管理器,得到我的 SessionInformation
EJB的数据库和存储用户的信息。
With the principal, I can check the username and, using the EJB Entity Manager, get the User information from the database and store in my SessionInformation
EJB.
我也看了周围注销的最佳途径。我发现使用一个Servlet最好的一个:
I also looked around for the best way to logout. The best one that I've found is using a Servlet:
@WebServlet(name = "LogoutServlet", urlPatterns = {"/logout"})
public class LogoutServlet extends HttpServlet {
@Override
protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
HttpSession session = request.getSession(false);
// Destroys the session for this user.
if (session != null)
session.invalidate();
// Redirects back to the initial page.
response.sendRedirect(request.getContextPath());
}
}
虽然我的答案是真的晚了考虑问题的日期,我希望这有助于从谷歌在这里结束了其他人,就像我一样。
Although my answer is really late considering the date of the question, I hope this helps other people that end up here from Google, just like I did.
Ciao的,
维克托•索萨
这篇关于使用j_security_check执行用户身份验证的Java EE / JSF的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!