形成基于JSF认证 [英] Form based authentication in JSF

问题描述

我想实现在JSF / Primefaces应用一个简单的身份验证。我已经试过很多不同的东西，例如对话框 - 登录演示让对话框上的简单的测试，但它并不登录用户或？

我也有在Java安全性采取一看，这样的：

 ＆LT;安全约束＆GT;
    ＆LT;网上资源收集和GT;
        ＆LT;网上资源名称＆gt;保护​​区和LT; /网络资源名称＆gt;
        ＆LT; URL模式＆GT; /保护/ *＆LT; / URL模式＆GT;
        ＆LT; HTTP的方法＆gt;＆PUT LT; / HTTP的方法＆gt;
        ＆LT; HTTP的方法＆gt;＆删除LT; / HTTP的方法＆gt;
        ＆LT; HTTP的方法＆gt; GET＆LT; / HTTP的方法＆gt;
        ＆LT; HTTP的方法＆gt;中邮LT; / HTTP的方法＆gt;
    ＆LT; /网上资源收集和GT;
    ＆LT; AUTH约束＆GT;
        ＆LT;角色名称＆gt;＆REGISTERED_USER LT; /角色名称＆gt;
    ＆LT; / AUTH约束＆GT;
＆LT; /安全约束＆GT;
 

有了这个一切都在/保护的保护，但据我了解我必须定义在服务器进行身份验证的领域。我不想指定此服务器，但只是在数据库中有一个简单的查找它。

有没有一种方法，而不在应用程序服务器定义的东西来验证用户？或anonther简单的解决方案进行验证和保护不同的页面？

解决方案

  

有没有一种方法，而不在应用程序服务器定义的东西来验证用户？

这是一个长期和的非常的棘手的故事。它往往出现为一个针对Java EE的批评的要点。

故事的核心是传统的Java EE应用程序都应该以未解决的依赖关系进行部署。这些依赖已经到应用服务器来满足，通常是由人谁是不是开发者，经常使用某种GUI或控制台。

安全配置是那些未解决的依赖性之一。

如果安全配置是在应用服务器完成的，这是定义总是不便于携带，例如它在应用服务器的特定的方式来进行。它完全排除了使用应用程序域模型（例如JPA实体用户），此验证。

某些服务器（如，JBoss AS）允许在应用程序内配置其专有的安全机制，并且还允许'自定义登录模块（这个词是pretty太大每台服务器的不同）从应用程序加载为好。随着一些小黑客，这将允许应用领域模型的使用和同一数据源应用程序本身使用进行身份验证。

最后，还有从一个应用程序中做验证一个相对陌生的可移植的方式。这是通过完成在 JASPIC SPI，又称 JASPI 或 JSR 196 。基本上，这JASPIC似乎是你在找什么。

不幸的是，JASPIC是不完美的，即使它是从Java EE 6的技术和我们差不多在的Java EE 7，在为JASPIC时刻支持各种应用服务器仍然是粗略的。最重要的是，即使JASPIC标准化，应用服务器厂商的还是的不知何故需要专门配置的实际，使其工作。

我写了一篇关于JASPIC的文章，详细解释了目前存在的问题：<一href=\"http://arjan-tijms.blogspot.com/2012/11/implementing-container-authentication.html\">Implementing在Java EE中与JASPIC 容器认证

I would like to implement a simple authentication in an JSF/Primefaces application. I have tried lots of different things, e.g. Dialog - Login Demo makes a simple test on a dialog, but it does not login a user or?

I also have taken a look at Java Security, like:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/protected/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>REGISTERED_USER</role-name>
    </auth-constraint>
</security-constraint>

With this everything under /protected is protected, but as far as i understand i need to define a realm in the server for authentication. I do not want to specify this in the server but just have a simple lookup in the database for it.

Is there a way to authenticate a user without defining something in the application server? Or anonther simple solution to authenticate and protect different pages?

解决方案

Is there a way to authenticate a user without defining something in the application server?

This is a long and very thorny story. It often comes up as one the main points of criticism against Java EE.

The core of the story is that traditionally Java EE applications are supposed to be deployed with "unresolved dependencies". Those dependencies have to be satisfied at the application server, typically by someone who is not a developer, often by using some kind of GUI or console.

Security configuration is one of those unresolved dependencies.

If the security configuration is done at the application server, this is by definition always not portable, e.g. it has to be done in an application server specific way. It completely rules out using application domain models (e.g. a JPA entity User) for this authentication.

Some servers (e.g. JBoss AS) allow configuring their proprietary security mechanisms from within the application, and additionally allow for 'custom login modules' (the term is different for pretty much every server) to be loaded from the application as well. With some small hacks, this will allow the usage of application domain models and the same data source that the application itself uses for authentication.

Finally, there's a relatively unknown portable way to do authentication from within an application. This is done via the JASPIC SPI, also known as JASPI or JSR 196. Basically, this JASPIC seems to be what you are looking for.

Unfortunately, JASPIC is not perfect and even though it's a technology from Java EE 6 and we're almost at Java EE 7, at the moment support for JASPIC in various application servers is still sketchy. On top of that, even though JASPIC is standardized, application server vendors still somehow require proprietary configuration to actually make it work.

I wrote an article about JASPIC that explains the current problems in more detail: Implementing container authentication in Java EE with JASPIC

这篇关于形成基于JSF认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！