在一句话中,我想配置JBoss 4.2.2使用DatabaseServerLoginModule作为通过摘要式身份验证保护的Web应用程序的登录模块.我遇到的问题是密码无法验证.我怀疑问题出在我如何定义应用程序策略或密码如何存储在数据库中.
以下是所有相关文件.我有一个MysqL数据库,其中包含使用以下模式定义的用户和角色:
CREATE TABLE SR_USER ( ID BIGINT(19) NOT NULL AUTO_INCREMENT,USERNAME VARCHAR(20) NOT NULL,PASSWORD VARCHAR(255) NOT NULL,PRIMARY KEY (ID) ) CHaraCTER SET utf8; CREATE TABLE SR_ROLE ( ID BIGINT(19) NOT NULL AUTO_INCREMENT,ROLE_NAME VARCHAR(20) NOT NULL,PRIMARY KEY (ID) ) CHaraCTER SET utf8; CREATE TABLE SR_USER_ROLE ( FK_USER_ID BIGINT(19) NOT NULL,FK_ROLE_ID BIGINT(19) NOT NULL,FOREIGN KEY (FK_USER_ID) REFERENCES SR_USER (ID),FOREIGN KEY (FK_ROLE_ID) REFERENCES SR_ROLE (ID) ) CHaraCTER SET utf8;
对于login-config.xml文件中的应用程序策略,我定义了以下内容:
<application-policy name="secrest">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option name="dsJndiName">java:/SecRestDS</module-option>
<module-option name="principalsQuery">
SELECT PASSWORD FROM SR_USER WHERE USERNAME=?
</module-option>
<module-option name="rolesQuery">
SELECT r.ROLE_NAME FROM SR_ROLE r,SR_USER_ROLE ur,SR_USER u WHERE
u.USERNAME=? AND u.ID=ur.FK_USER_ID AND ur.FK_ROLE_ID=r.ID
</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">hex</module-option>
</login-module>
</authentication>
</application-policy>
这是我的Web应用程序的web.xml文件:
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>JerseyServlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>com.acme.samples.SecureRESTApplication</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>JerseyServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>secrest</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
</web-app>
最后,这是jboss-web.xml:
<jboss-web> <security-domain>java:/jaas/secrest</security-domain> </jboss-web>
INSERT INTO SR_ROLE (ROLE_NAME) VALUES ('admin');
INSERT INTO SR_ROLE (ROLE_NAME) VALUES ('apiuser');
INSERT INTO SR_USER (USERNAME,PASSWORD) VALUES ('user1',PASSWORD('p455w0rd'));
INSERT INTO SR_USER (USERNAME,PASSWORD) VALUES ('user2','p455w0rd');
INSERT INTO SR_USER (USERNAME,PASSWORD) VALUES ('user3','a4fd8e6fa9fbf9a6f2c99e7b70aa9ef2');
INSERT INTO SR_USER_ROLE (FK_USER_ID,FK_ROLE_ID) VALUES (1,1);
INSERT INTO SR_USER_ROLE (FK_USER_ID,2);
INSERT INTO SR_USER_ROLE (FK_USER_ID,FK_ROLE_ID) VALUES (2,FK_ROLE_ID) VALUES (3,2);
如您所见,所有三个用户(例如user1,user2,user3)都具有相同的密码;但在每种情况下,使用MD5哈希编码(或不编码)密码.但是,上述情况都不起作用.这是我认为的问题的核心.
解决方法
所以我终于想出了这一个.关键是以下内容:
<application-policy name="secrest">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:/SecRestDS</module-option>
<module-option name="principalsQuery">
SELECT PASSWORD FROM SR_USER WHERE USERNAME=?
</module-option>
<module-option name="rolesQuery">
SELECT r.ROLE_NAME,'Roles' FROM SR_ROLE r,SR_USER u WHERE
u.USERNAME=? AND u.ID=ur.FK_USER_ID AND ur.FK_ROLE_ID=r.ID
</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">rfc2617</module-option>
<module-option name="ignorePasswordCase">false</module-option>
<module-option name="hashStorePassword">true</module-option>
<module-option name="hashUserPassword">false</module-option>
<module-option name="storeDigestCallback">org.jboss.security.auth.spi.RFC2617Digest</module-option>
</login-module>
</authentication>
原文地址:https://www.jb51.cc/html/231531.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
