问题
I would like to create (implement by my own) authentication mechanism which will be plugged into my Java EE application.
As far as I know I have to implement LoginModule and connect this implementation with container mechanisms somehow. But the problem is that I don't know how to do it. Maybe You know where I can find sample code or tutorial about it?
In other words I would like to force container to call my classes whenever methods: authenticate, login, and logout are called.
Sample implementation: HttpServletRequest.login method will successfully authenticate only users with even numer of letters in login.
回答1:
After reading about JAAS, you should implement your login module basing on org.jboss.security.auth.spi.AbstractServerLoginModule (from org.picketbox/picketbox maven artifact). Then deploy the module with your app, and create a proper security domain and realm in WildFly's standalone.xml, like such:
<security-domain name="myDomain" cache-type="default">
<authentication>
<login-module code="com.example.TestLoginModule" flag="required"
module="deployment.sample.jar"/>
</authentication>
</security-domain>
...
<security-realm name="MyRealm">
<authentication>
<jaas name="myDomain"/>
</authentication>
</security-realm>
Look out for different behaviour on different JBoss AS versions. 7.1.1 will not allow you to deploy the login module, you would have to create a separate jboss module and bind it with org.picketbox and jboss.security modules.
Additional reading: https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration
https://docs.jboss.org/author/display/WFLY8/Security+Realms
http://java.dzone.com/articles/creating-custom-login-modules (it is a little outdated, but the gives the main idea)
回答2:
I believe the container independent way of doing this is to use JASPIC (JSR 196). Unfortunately it doesn't appear simple, robust, or particularly well documented. Here is a reference: http://arjan-tijms.blogspot.com/2012/11/implementing-container-authentication.html.
回答3:
You should research JAAS.
Wikipedia gives a good overview: http://en.m.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service
This will provide all the info and tutorials you need: http://docs.oracle.com/javase/7/docs/technotes/guides/security/
Tutorial with sample app: http://download.java.net/jdk8/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html
And check this out in SO: JAAS for human beings
来源:https://stackoverflow.com/questions/21588836/custom-security-mechanism-in-java-ee-6-7-application