在JBoss / JAAS中使用HTTP Request.login [英] Using HTTP Request.login with JBoss/JAAS

问题描述

我已经成功设置了JBoss安全域，并且可以使用BASIC身份验证进行身份验证（如web.xml中所定义）。这一切都运作良好。但是我无法弄清楚如何使用http request.login方法。

I have successfully setup a JBoss security domain, and can authenticate using BASIC authentication (as defined in web.xml). This all works well. I cannot however figure out how to use the http request.login method.

以下安全域（来自jboss-web.xml）适用于BASIC身份验证：

The following security domain (from jboss-web.xml) works for BASIC authentication:

<jboss-web>  
    <context-root>/myapp</context-root>  
    <security-domain>java:/jaas/myapp-realm</security-domain>  
</jboss-web> 

但是当我按如下方式使用request.login时：

But when I use request.login as follows:

public void login() {
    FacesContext context = FacesContext.getCurrentInstance();
    HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();
    try {
        request.login(username, password);
    }
    catch (ServletException ex) {
        java.util.logging.Logger.getLogger(UserLogin.class.getName()).log(Level.SEVERE, null, ex);
    }
}

我收到以下异常：

javax.servlet.ServletException: Failed to authenticate a principal

我知道用户名/密码很好（使用BASIC auth工作正常）。我有TRACE级别登录，看起来甚至没有尝试进行身份验证。我错过了什么？

I know the username/pasword is fine (it worked fine using BASIC auth). I have TRACE level logging on, and it doesn't look like it is even trying to authenticate. What have I missed?

参见 http://java-web-development.blogspot.com/2011/07/jee-6-security-part-two-implementation.html if你需要有关我的设置/配置的更多细节。我正在使用JBoss 6.

See http://java-web-development.blogspot.com/2011/07/jee-6-security-part-two-implementation.html if you need more details about my setup/config. I am using JBoss 6.

推荐答案

现在正在使用。我确保基于FORM的身份验证工作，一旦工作，我回到使用request.login，它工作？！我通过JRebel使用热部署，因此我有可能使用BASIC auth进行身份验证，并在会话中留下了一个用户主体，然​​后导致request.login失败（如果您已经过身份验证，request.login会抛出异常）。我发誓我已经完成了JBoss的重启，但这是我能想到的唯一合理的事情。

It is now working. I made sure FORM based authentication worked, and once that worked I went back to using request.login and it worked?! I use hot deployments via JRebel so it is a possibility I had authenticated with BASIC auth and it left a user principal in my session which then caused the request.login to fail (request.login throws an exception if you are already authenticated). I swear I had done a hard restart of JBoss, but this is the only logical thing I can think of.

我现在对登录进行了一次完整性检查，就像这样：

I now have a sanity check around the login, like so:

public void login() {
    FacesContext context = FacesContext.getCurrentInstance();
    HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();
    try {
        Principal userPrincipal = request.getUserPrincipal();
        if (request.getUserPrincipal() != null) {
            request.logout();
        }
        request.login(username, password);
        userPrincipal = request.getUserPrincipal();
        authUser = userDao.findByLogin(userPrincipal.getName());
    }
    catch (ServletException ex) {
        java.util.logging.Logger.getLogger(UserLogin.class.getName()).log(Level.SEVERE, null, ex);
    }

这篇关于在JBoss / JAAS中使用HTTP Request.login的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！