Java EE 6程序安全,glassfish和JDBC领域 [英] Java EE 6 Programmatic security, glassfish and JDBC realm
问题描述
因此,基本上,在我的系统中,我的程序员安全地使用了Java EE的方式来执行程序化安全性,尤其是登录用户,基于我的glassfish服务器的jdbc领域。登录servlet我在做
字符串username = request.getParameter(username);
String password = request.getParameter(password);
尝试{
request.login(username,password);
....
在我的web.xml中不做任何事情,默认领域(文件)被使用。
我不希望这样,我想用我的jdbcRealm命名为jdbcsecurerealm。
所以我将以下内容添加到我的web.xml中
< login-config>
< auth-method> FORM< / auth-method>
< realm-name> jdbcsecurerealm< / realm-name>
< / login-config>
请注意,我不添加任何form-login-config来定义form-login-page和然后如果我定义安全约束,如
<安全约束>
< web-resource-collection>
< web-resource-name>管理页面< / web-resource-name>
< description>< / description>
< url-pattern> / admin / *< / url-pattern>
< / web-resource-collection>
< auth-constraint>
<角色名称>管理员< /角色名称>
< / auth-constraint>
< / security-constraint>
好吧...它的作品! request.login检查我的jdbcRealm,如果我尝试访问受保护的页面而没有登录,那么我得到一个不错的403。
但似乎我' m混合了声明性安全性和程序安全性,因为我觉得我不应该在web.xml中声明任何内容,而应该使用request.isUserInRole。
问题:
我打击glassfish特定的行为,还是允许使用web.xml中定义的jdbc领域的程序化安全性(request.login)没有form-login-config?
更新
我刚才看到有可能在glassfish中指定一个领域-application.xml,是为了指定领域而建立一个耳朵而不是战争的更好的方法吗?
当您使用特定于容器的(专有)l时,便携式(纯Java EE)方式的纯程序化方法是不可能的ogin模块,例如GlassFish JDBC登录模块/域。
Java EE 6中为此提供了一个API:JASPIC。使用该API(技术上),您可以构建可移植的身份验证模块,并将其完全程序化地配置,而无需进行任何声明。
我写了博客文章,希望能为您提供更多细节。
I'm exploring pure Java EE ways of doing programmatic security, especially login users, based on the jdbc realm from my glassfish server.
So basically, in my login servlet I'm doing
String username = request.getParameter("username");
String password = request.getParameter("password");
try {
request.login(username, password);
....
Without doing anything in my web.xml, the default realm (file) is used. I don't want that, I want to use my jdbcRealm named jdbcsecurerealm.
So I'm adding the following to my web.xml
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbcsecurerealm</realm-name>
</login-config>
Note that I don't add any form-login-config to define form-login-page and form-error-page.
Then if I define security constraints such as
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Pages</web-resource-name>
<description></description>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
well... it works ! The request.login checks against my jdbcRealm and if I try to access secured pages without being logged in then I'm getting a nice 403.
But it seems that I'm mixing declarative security and programmatic security, because I feel that I shouldn't be declaring anything inside web.xml but rather be using request.isUserInRole.
Question:
Am I hitting a glassfish specific behaviour, or is it allowed to use programmatic security (request.login) with a jdbc realm defined inside web.xml without form-login-config ?
Update I've just seen that there is a possibility to specify a realm inside glassfish-application.xml, is it a better approach to build an ear instead of a war in order to specify the realm ?
A purely programmatic approach in a portable (pure Java EE) way is not possible when you use container specific (proprietary) login modules such as the GlassFish JDBC login module/realm.
There is an API in Java EE 6 for this: JASPIC. With that API (SPI technically), you can build portable authentication modules AND configure them fully programmatic without the need for any declaration.
I wrote a blog article about this that hopefully provides you with some more details.
这篇关于Java EE 6程序安全,glassfish和JDBC领域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
