×

Loading...
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务

请问你对jboss的security了解吗?有亲手写过代码啊?能指点一下我写的代码吗?

本文发表在 rolia.net 枫下论坛经过一段时间的研究,感觉理解了一些,但是有些关键的东西,还是迷惑。

jboss的文档写的太简单了。


public class McAuthLoginModule implements LoginModule {
private final Logger logger = LoggerFactory.getLogger(getClass());

private Subject subject;
private CallbackHandler callbackHandler;
private Map<String, ?> sharedState;
private Map<String, ?> options;

// this is the roles organised into group of the login person, who might
// have
// many roles.
private McAuthGroup rolesGroup;

private McAuthGroup callerPrincipal;

@Override
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState, Map<String, ?> options) {
logger.info("Initiating init");

// these 4 must be init. otherwise it wont work
setSubject(subject);
setCallbackHandler(callbackHandler);
setSharedState(sharedState);
setOptions(options);

logger.info("Ending init");

}

// commit must return true for successful login
@Override
public boolean login() throws LoginException {

logger.info("Initiating login");
long loginDuration = System.currentTimeMillis();

NameCallback nameCallback = new NameCallback("Username");
PasswordCallback passwordCallback = new PasswordCallback("Password",
false);

try {
getCallbackHandler().handle(
new Callback[] { nameCallback, passwordCallback });
} catch (IOException | UnsupportedCallbackException e) {
e.printStackTrace();
}

String loginName = nameCallback.getName();
char[] password = passwordCallback.getPassword();

logger.info("user name is {}, password is {}", loginName,
String.valueOf(password));

/*
* http://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modules.html#sect-Custom_Modules
*
* The JBossSX framework uses two well-known role sets with the names Roles and CallerPrincipal. The Roles group is the collection of Principals for the named roles as known in the application
* domain under which the Subject has been authenticated. This role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs can use to see if the current caller belongs
* to the named application domain role. The security interceptor logic that performs method permission checks also uses this role set. The CallerPrincipalGroup consists of the single
* Principal identity assigned to the user in the application domain. The EJBContext.getCallerPrincipal() method uses the CallerPrincipal to allow the application domain to map from the
* operation environment identity to a user identity suitable for the application. If a Subject does not have a CallerPrincipalGroup, the application identity is the same used for login.
*/
McAuthGroup callerPrincipal = new McAuthGroup("CallerPrincipal");
callerPrincipal.addMember(new McAuthRole(new Random().nextInt()
+ "user"));
setCallerPrincipal(callerPrincipal);

McAuthGroup rolesGroup = new McAuthGroup("Roles");
McAuthRole role = new McAuthRole("user");
rolesGroup.addMember(role);

setRolesGroup(rolesGroup);

loginDuration = System.currentTimeMillis() - loginDuration;
logger.info("Ending login {} successfully in {} ms", loginName,
loginDuration);
return true;
}

private Principal[] getPrincipals() {
return new Principal[] { getCallerPrincipal(), getRolesGroup() };
}

// commit must return true for successful login
@Override
public boolean commit() throws LoginException {
logger.info("Initiating commit");

Set<Principal> principals = getSubject().getPrincipals();

for (Principal principal : getPrincipals())
principals.add(principal);

logger.info("Ending commit");
return true;
}

@Override
public boolean abort() throws LoginException {
logger.info("Initiating abort");

logger.info("Ending abort");
return true;
}

@Override
public boolean logout() throws LoginException {
logger.info("Initiating logout");

Set<Principal> principals = getSubject().getPrincipals();
for (Principal principal : getPrincipals())
principals.remove(principal);

logger.info("Ending logout");
return true;
}

// getters and setters
public Subject getSubject() {
return subject;
}

public void setSubject(Subject subject) {
this.subject = subject;
}

public CallbackHandler getCallbackHandler() {
return callbackHandler;
}

public void setCallbackHandler(CallbackHandler callbackHandler) {
this.callbackHandler = callbackHandler;
}

public Map<String, ?> getSharedState() {
return sharedState;
}

public void setSharedState(Map<String, ?> sharedState) {
this.sharedState = sharedState;
}

public Map<String, ?> getOptions() {
return options;
}

public void setOptions(Map<String, ?> options) {
this.options = options;
}

public McAuthGroup getRolesGroup() {
return rolesGroup;
}

public void setRolesGroup(McAuthGroup rolesGroup) {
this.rolesGroup = rolesGroup;
}

public McAuthGroup getCallerPrincipal() {
return callerPrincipal;
}

public void setCallerPrincipal(McAuthGroup callerPrincipal) {
this.callerPrincipal = callerPrincipal;
}

}更多精彩文章及讨论,请光临枫下论坛 rolia.net
Report

Replies, comments and Discussions:

  • 工作学习 / 学科技术讨论 / 请教Jbos7,jboss8(wildfly) security 高人,现在的项目需要使用jaas,custom login module
    网上的资料实在是太少,我一个人负责整个项目,没有人可以请教。

    谁对jboss SX (security extension)熟悉的话,请帮帮忙吧。
    • 既然是custom module,就购买或自行开发,vendor or developer should provide specification per platform
      • 请问你对jboss的security了解吗?有亲手写过代码啊?能指点一下我写的代码吗?
        本文发表在 rolia.net 枫下论坛经过一段时间的研究,感觉理解了一些,但是有些关键的东西,还是迷惑。

        jboss的文档写的太简单了。


        public class McAuthLoginModule implements LoginModule {
        private final Logger logger = LoggerFactory.getLogger(getClass());

        private Subject subject;
        private CallbackHandler callbackHandler;
        private Map<String, ?> sharedState;
        private Map<String, ?> options;

        // this is the roles organised into group of the login person, who might
        // have
        // many roles.
        private McAuthGroup rolesGroup;

        private McAuthGroup callerPrincipal;

        @Override
        public void initialize(Subject subject, CallbackHandler callbackHandler,
        Map<String, ?> sharedState, Map<String, ?> options) {
        logger.info("Initiating init");

        // these 4 must be init. otherwise it wont work
        setSubject(subject);
        setCallbackHandler(callbackHandler);
        setSharedState(sharedState);
        setOptions(options);

        logger.info("Ending init");

        }

        // commit must return true for successful login
        @Override
        public boolean login() throws LoginException {

        logger.info("Initiating login");
        long loginDuration = System.currentTimeMillis();

        NameCallback nameCallback = new NameCallback("Username");
        PasswordCallback passwordCallback = new PasswordCallback("Password",
        false);

        try {
        getCallbackHandler().handle(
        new Callback[] { nameCallback, passwordCallback });
        } catch (IOException | UnsupportedCallbackException e) {
        e.printStackTrace();
        }

        String loginName = nameCallback.getName();
        char[] password = passwordCallback.getPassword();

        logger.info("user name is {}, password is {}", loginName,
        String.valueOf(password));

        /*
        * http://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modules.html#sect-Custom_Modules
        *
        * The JBossSX framework uses two well-known role sets with the names Roles and CallerPrincipal. The Roles group is the collection of Principals for the named roles as known in the application
        * domain under which the Subject has been authenticated. This role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs can use to see if the current caller belongs
        * to the named application domain role. The security interceptor logic that performs method permission checks also uses this role set. The CallerPrincipalGroup consists of the single
        * Principal identity assigned to the user in the application domain. The EJBContext.getCallerPrincipal() method uses the CallerPrincipal to allow the application domain to map from the
        * operation environment identity to a user identity suitable for the application. If a Subject does not have a CallerPrincipalGroup, the application identity is the same used for login.
        */
        McAuthGroup callerPrincipal = new McAuthGroup("CallerPrincipal");
        callerPrincipal.addMember(new McAuthRole(new Random().nextInt()
        + "user"));
        setCallerPrincipal(callerPrincipal);

        McAuthGroup rolesGroup = new McAuthGroup("Roles");
        McAuthRole role = new McAuthRole("user");
        rolesGroup.addMember(role);

        setRolesGroup(rolesGroup);

        loginDuration = System.currentTimeMillis() - loginDuration;
        logger.info("Ending login {} successfully in {} ms", loginName,
        loginDuration);
        return true;
        }

        private Principal[] getPrincipals() {
        return new Principal[] { getCallerPrincipal(), getRolesGroup() };
        }

        // commit must return true for successful login
        @Override
        public boolean commit() throws LoginException {
        logger.info("Initiating commit");

        Set<Principal> principals = getSubject().getPrincipals();

        for (Principal principal : getPrincipals())
        principals.add(principal);

        logger.info("Ending commit");
        return true;
        }

        @Override
        public boolean abort() throws LoginException {
        logger.info("Initiating abort");

        logger.info("Ending abort");
        return true;
        }

        @Override
        public boolean logout() throws LoginException {
        logger.info("Initiating logout");

        Set<Principal> principals = getSubject().getPrincipals();
        for (Principal principal : getPrincipals())
        principals.remove(principal);

        logger.info("Ending logout");
        return true;
        }

        // getters and setters
        public Subject getSubject() {
        return subject;
        }

        public void setSubject(Subject subject) {
        this.subject = subject;
        }

        public CallbackHandler getCallbackHandler() {
        return callbackHandler;
        }

        public void setCallbackHandler(CallbackHandler callbackHandler) {
        this.callbackHandler = callbackHandler;
        }

        public Map<String, ?> getSharedState() {
        return sharedState;
        }

        public void setSharedState(Map<String, ?> sharedState) {
        this.sharedState = sharedState;
        }

        public Map<String, ?> getOptions() {
        return options;
        }

        public void setOptions(Map<String, ?> options) {
        this.options = options;
        }

        public McAuthGroup getRolesGroup() {
        return rolesGroup;
        }

        public void setRolesGroup(McAuthGroup rolesGroup) {
        this.rolesGroup = rolesGroup;
        }

        public McAuthGroup getCallerPrincipal() {
        return callerPrincipal;
        }

        public void setCallerPrincipal(McAuthGroup callerPrincipal) {
        this.callerPrincipal = callerPrincipal;
        }

        }更多精彩文章及讨论,请光临枫下论坛 rolia.net
        • 先试试authentication against ActiveDirectory是否满足要求,这是在container level jboss层实现的,当然也可以直接在java code里query LDAP
          • 谢谢你的回答,发现这是一个jboss8的bug
            https://issues.jboss.org/browse/WFLY-3221

            不知道他们什么时候能fix。