·在Tomcat中使用JAASRealm
2004-12-30 15:19
295 查看
ntroduction
JAASRealm is an implementation of the Tomcat 4Realminterface that authenticates users through the Java Authentication & Authorization Service (JAAS) framework, a Java package that is available as an optional package in Java 2 SDK 1.3 and is fully integrated as of SDK 1.4 .
Using JAASRealm gives the developer the ability to combine practically any conceivable security realm with Tomcat's CMA.
JAASRealm is prototype for Tomcat of the proposed JAAS-based J2EE authentication framework for J2EE v1.4, based on the JCP Specification Request 196 to enhance container-managed security and promote 'pluggable' authentication mechanisms whose implementations would be container-independent.
Based on the JAAS login module and principal (see
javax.security.auth.spi.LoginModuleand
javax.security.Principal), you can develop your own security mechanism or wrap another third-party mechanism for integration with the CMA as implemented by Tomcat.
Quick Start
To set up Tomcat to use JAASRealm with your own JAAS login module, you will need to follow these steps:Write your own LoginModule, User and Role classes based on JAAS (see the JAAS Authentication Tutorial and the JAAS Login Module Developer's Guide) to be managed by the JAAS Login Context (
javax.security.auth.login.LoginContext). When developing your LoginModule, note that JAASRealm's built-in
CallbackHandleronly recognizes the
NameCallbackand
PasswordCallbackat present.
Although not specified in JAAS, you should create seperate classes to distinguish between users and roles, extending
javax.security.Principal, so that Tomcat can tell which Principals returned from your login module are users and which are roles (see
org.apache.catalina.realm.JAASRealm). Regardless, the first Principal returned is always treated as the user Principal.
Place the compiled classes on Tomcat's classpath
Set up a login.config file for Java (see JAAS LoginConfig file) and tell Tomcat where to find it by specifying its location to the JVM, for instance by setting the environment variable:
JAVA_OPTS=-DJAVA_OPTS=-Djava.security.auth.login.config==$CATALINA_HOME/conf/jaas.config
Configure your security-constraints in your web.xml for the resources you want to protect
Configure the JAASRealm module in your server.xml
Restart Tomcat 4 if it is already running.
Realm Element Attributes
To configure JAASRealm as for step 6 above, you create a<Realm>element and nest it in your
$CATALINA_HOME/conf/server.xmlfile within your
<Engine>node. The following attributes are supported by this implementation:
Attribute | Description |
---|---|
className | The fully qualified Java class name of this Realm implementation. You MUST specify the value "org.apache.catalina.realm.MemoryRealm" here. |
debug | The level of debugging detail logged by this Realm to the associated Logger. Higher numbers generate more detailed output. If not specified, the default debugging detail level is zero (0). |
appName | The name of the application as configured in your login configuration file (JAAS LoginConfig). |
userClassNames | A comma-seperated list of the names of the classes that you have made for your user Principals. |
roleClassNames | A comma-seperated list of the names of the classes that you have made for your role Principals. |
useContextClassLoader | Instructs JAASRealm to use the context class loader for loading the user-specified LoginModuleclass and associated Principalclasses. The default value is true, which is backwards-compatible with the way Tomcat 4 works. To load classes using the container's classloader, specify true. |
Example
Here is an example of how your server.xml snippet should look.<Realm className="org.apache.catalina.realm.JAASRealm" appName="MyFooRealm" userClassNames="org.foobar.realm.FooUser" roleClassNames="org.foobar.realm.FooRole" debug="99"/> | ||
javax.security.auth.Subject). If your login module doesn't create a user object but also doesn't throw a login exception, then the Tomcat CMA will break and you will be left at the http://localhost:8080/myapp/j_security_check URI or at some other unspecified location.
The flexibility of the JAAS approach is two-fold:
you can carry out whatever processing you require behind the scenes in your own login module.
you can plug in a completely different LoginModule by changing the configuration and restarting the server, without any code changes to your application.
Additional Notes
When a user attempts to access a protected resource for the first time, Tomcat 4 will call theauthenticate()method of this
Realm. Thus, any changes you have made in the security mechanism directly (new users, changed passwords or roles, etc.) will be immediately reflected.
Once a user has been authenticated, the user (and his or her associated roles) are cached within Tomcat for the duration of the user's login. (For FORM-based authentication, that means until the session times out or is invalidated; for BASIC authentication, that means until the user closes their browser). Any changes to the security information for an already authenticated user will not be reflected until the next time that user logs on again.
Debugging and exception messages logged by this
Realmwill be recorded by the
Loggerthat is associated with our surrounding
Context,
Host, or
Engine. By default, the corresponding Logger will create a log file in the
$CATALINA_HOME/logsdirectory.
As with other
Realmimplementations, digested passwords are supported if the
<Realm>element in
server.xmlcontains a
digestattribute; JAASRealm's
CallbackHandlerwill digest the password prior to passing it back to the
LoginModule
相关文章推荐
- ··· Socks Online - 在内部网也能使用QQ ···
- 超详细!ActionBar 使用·详解
- ··· Socks Online - 在内部网也能使用QQ ···
- ·搜索引擎Nutch介绍(1)-使用Nutch
- ·Tomcat配置技巧Top 10
- ··· Socks Online - 在内部网也能使用QQ ···
- opendir,closedir,readdir ,telldir的·使用详解及例子
- ··· Socks Online - 在内部网也能使用QQ ···
- ·jQuery弹出层插件Thickbox使用心得
- ··· Socks Online - 在内部网也能使用QQ ···
- ·Tomcat和Eclipse远程调试
- ··· Socks Online - 在内部网也能使用QQ ···
- ·PL/SQL Developer使用技巧
- 一次使用Eclipse Memory Analyzer分析Tomcat内存溢出
- Eclipse中的Web项目自动部署到Tomcat以及如何在Eclipse中使用My Eclipse工程
- mvn使用tomcat的一个异常记录
- 问题解决:tomcat使用”严重: Error initializing endpoint“
- Java之——使用JMX监控Tomcat
- 配置tomcat使用https协议
- tomcat配置jndi+spring使用jndi数据源