Tomcat-Jaas - 如何检索主题? [英] Tomcat-Jaas - How to retrieve subject?
问题描述
我正在学习JAAS,我正在实现一个使用Tomcat和JaasRealm在webapp中使用的简单示例。
I'm studying JAAS and I'm implementing a simple example to use in a webapp using Tomcat with a JaasRealm.
现在我的问题是我不知道如何检索主题,因为代码如主题subject = Subject.getSubject(AccessController.getContext( )); 总是返回null。
Now my problem is that I don't know how to retrieve the subject since code like Subject subject = Subject.getSubject(AccessController.getContext()); always returns null.
我正在使用Tomcat 7.0.27。有没有我错过的东西?
换句话说,如何使用JAAS管理Java EE中的授权?例如,如何在JAAS的安全上下文中实现操作?
I'm using Tomcat 7.0.27. Is there something I've missed? In other terms how can I manage authorization in Java EE with JAAS? For example how can I implement an action within the secure context of JAAS?
推荐答案
我知道并且它有效,但我需要检索主题以获得roleprincipal
i knew that and it works, but I need to retrieve subject to get also roleprincipal
不幸的是,它不像Java EE那样工作。 JAAS主题只是一个主要包,其中哪些代表用户/调用者主体和/或角色主体根本不是标准化的。每个其他容器在这里做不同的事情。 Tomcat的JAASRealm的Javadoc 描述了这一点,并解释了Tomcat特定约定(强调我的):
Unfortunately, it doesn't work like that in Java EE. The JAAS Subject is just a "bag of principals", and which of those represents the user/caller principal and/or the role principal(s) is simply not standardized. Every other container does things differently here. The Javadoc for Tomcat's JAASRealm describes this and explains the Tomcat specific convention (emphasis mine):
JAAS规范描述了成功登录的结果为
javax.security。 auth.Subject实例,它可以在
Subject.getPrincipals()方法的返回值中包含零个或多个
java.security.Principal对象。但是,它没有在
上提供如何区分描述个人用户的主体(因此
适合作为
request.getUserPrincipal的值返回) )来自Principal(s)
的Web应用程序中描述该用户的授权角色。为了从JAAS执行的基础LoginMethod
实现中保持尽可能多的
独立性,以下策略由此Realm实现
:[...]
The JAAS Specification describes the result of a successful login as a javax.security.auth.Subject instance, which can contain zero or more java.security.Principal objects in the return value of the Subject.getPrincipals() method. However, it provides no guidance on how to distinguish Principals that describe the individual user (and are thus appropriate to return as the value of request.getUserPrincipal() in a web application) from the Principal(s) that describe the authorized roles for this user. To maintain as much independence as possible from the underlying LoginMethod implementation executed by JAAS, the following policy is implemented by this Realm: [...]
除此之外,在Java EE环境中,您甚至很少能够访问JAAS主题,甚至通常也不会通过特定于供应商的方法。 JAAS远不是您认为的通用标准,特别是当它涉及Java EE时。
Besides that, from a Java EE environment you rarely even have access to the JAAS Subject, often not even via vendor specific methods. JAAS is far from the universal standard that you seem to think it is, especially when it concerns Java EE.
您可以以便携方式访问的唯一内容是调用者主体和与之关联的角色,但即使是那些也不一定是JAAS登录模块构造的确切调用者主体。
The only things which you can access in a portable way are the caller principal and the roles associated with it, but even those do not have to be the exact caller principal that your JAAS login module constructed.
例如,JBoss AS使用自己的类复制此主体几次。因此,如果您的JAAS模块将 kaz.zak.FooPrincipal 存储到用户/调用者主体的Subject中,那么 HttpServletRequest#getUserPrincipal()可能会返回 org.jboss.security.SimplePrincipal 。唯一保证的是该实例上的 getName()将返回相同的字符串。
JBoss AS for instance, copies this principal a couple of times using its own classes. So, if your JAAS module stored a kaz.zak.FooPrincipal into the Subject for the user/caller principal, then HttpServletRequest#getUserPrincipal() might return a org.jboss.security.SimplePrincipal. The only thing guaranteed is that getName() on that instance will return the same string.
更多背景信息关于这个主题:
For some more background on this topic:
- Implementing container authentication in Java EE with JASPIC
- Whatever Happened to JAAS?
- Using JAAS with Tomcat
最后一个来源基本上说的是相同的东西,用不同的措辞;
The last source basically says the same thing, in different wording;
虽然可以在Tomcat中使用JAAS作为身份验证
机制(JAASRealm),但一旦用户使用JAAS框架的灵活性就会丢失
认证。这是因为主体是
,用于表示用户和角色的概念,并且不再是在执行webapp的安全上下文中可用的
。验证的
结果只能通过
request.getRemoteUser()和request.isUserInRole()获得。
Although it is possible to use JAAS within Tomcat as an authentication mechanism (JAASRealm), the flexibility of the JAAS framework is lost once the user is authenticated. This is because the principals are used to denote the concepts of "user" and "role", and are no longer available in the security context in which the webapp is executed. The result of the authentication is available only through request.getRemoteUser() and request.isUserInRole().
这减少了JAAS框架授权用于简单的
用户/角色系统,该系统失去与Java Security
Policy的连接。
This reduces the JAAS framework for authorization purposes to a simple user/role system that loses its connection with the Java Security Policy.
这篇关于Tomcat-Jaas - 如何检索主题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
