JSP登录与声明性安全 - 如何实际验证发生的呢? [英] JSP login with declarative security - How does the actual authentication happen?
问题描述
我已经与这个有点疑惑,因为我还没有看到这给了我完整的图片的例子很多。我发现迄今最好的解释是这个。
通过定义在web.xml中的安全角色,如管理员为例,和具有所有必要的领域我的登录表单(即j_security_check不如行动,田间地头为j_username,为j_password),如何/在哪里做实际验证发生的?
我打算使用存储在数据库中的用户名/密码(哈希)使用自定义的验证。当用户提交表单时,我怎么做了Java EE Web容器调用我的sevlet / bean方法不执行实际的认证?我没有看到任何地方的钩子在web.xml中哪些会做实际的认证添加到我的code。
通过定义在web.xml中的安全角色,如管理员为例,和具有所有必要的领域我的登录表单(即j_security_check不如行动,田间地头为j_username,为j_password),如何/在哪里做实际验证发生的?
块引用>在Servlet实现的servletcontainer。在Tomcat中为例,它是由<一个完成href=\"http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/authenticator/AuthenticatorBase.html\"相对=nofollow>
AuthenticatorBase
类(来源$ C $ C的这里)。
我打算使用存储在数据库中的用户名/密码(哈希)使用自定义的验证。当用户提交表单时,我怎么做了Java EE Web容器调用我的sevlet / bean方法不执行实际的认证?我没有看到任何地方的钩子在web.xml中哪些会做实际的认证添加到我的code。
块引用>如果您想继续使用容器管理的认证,而是要检查的登录对数据库,那么你需要配置所谓的境界相应。目前还不清楚这servletcontainer你使用,但在例如Tomcat的,文档可以在这里找到:的的Tomcat 6.0境界HOW-TO 的。
如果你真的想拥有自己的自主开发的认证系统调用,而不是,那么你需要删除的容器管理的安全性,并进一步homegrow它。的不推荐的
I've been a little puzzled with this as I have not seen many examples that gave me the complete picture. The best explanation I found so far is this.
By defining a security role in web.xml such as "admin" for example, and having my login form with all the necessary fields (i.e j_security_check as action, and fields j_username, j_password), how/where does the actual authentication occur?
I plan to use a custom authentication using username/passwords (hashes) stored in the database. When the user submits the form, how do I make the Java EE Web Container invoke my sevlet/bean method do perform the actual authentication? I didn't notice any place to add a hook to my code in web.xml which would do the actual authentication.
解决方案By defining a security role in web.xml such as "admin" for example, and having my login form with all the necessary fields (i.e j_security_check as action, and fields j_username, j_password), how/where does the actual authentication occur?
In the servlet implementation, the servletcontainer. In Tomcat for example, it's done by the
AuthenticatorBase
class (source code here).I plan to use a custom authentication using username/passwords (hashes) stored in the database. When the user submits the form, how do I make the Java EE Web Container invoke my sevlet/bean method do perform the actual authentication? I didn't notice any place to add a hook to my code in web.xml which would do the actual authentication.
If you'd like to keep using container managed authentication, but instead want to check the login against a database, then you need to configure the so-called "realm" accordingly. It's unclear which servletcontainer you're using, but in for example Tomcat, the documentation is available here: Tomcat 6.0 Realm HOW-TO.
If you really want to have your own homegrown authentication system invoked instead, then you need to drop the container managed security and homegrow it further. Which is not recommended.
这篇关于JSP登录与声明性安全 - 如何实际验证发生的呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!