问题
What is the correct way for a java heavy client to authenticate with an OpenAM
protected servlet?
Java openAM sdk
exists, which I have used and it does provide access to the SSO Token. Where things break down is when this same heavy Java
client attempts to send serialized objects to a protected tomcat 7 (tomee+) servlet using this SSO Token id
as a cookie
. The OpenAM
filter uses redirection with an embedded / hidden form containing credentials. This breaks the serialized object communications.
So what is the right way to have a Java heavy client authenticate such that it can then send serialized objects back and forth to a protected servlet? Is this even possible?
回答1:
There are several ways to authenticate a client:
- use the REST API to authenticate the client (/identity/authenticate or /json/authenticate)
- using the ClientSDK AuthContext API
- sending POST requests to /UI/Login (not necessarily the best way..)
After acquiring the token the only thing you have to make sure of is that you send the session cookie to the protected pages. In case you receive a self-submitting form for JAAS, then that means that you are using the agent in J2EE_POLICY or ALL mode and Java EE declarative security is enabled. Possible solutions for this problem area:
- modify the client so it copes with the JAAS FORM login content (i.e. grab the input values and perform a POST manually), after this possibly you will also have to send the JSESSIONID with all your requests.
- consider removing protection for your servlets in web.xml, that way the container will not attempt to display the JAAS login form, but then this will also mean that you won't have the fancy JAAS integration either (isUserInRole/getRemoteUser/@RolesAllowed/etc)
- move your servlet to a separate application, which can be protected in a different agent filter mode (URL_POLICY/SSO_ONLY), it would be still protected, but again without the JAAS integration..
Basically I can't think of an easy way of leveraging JAAS integration with the use of a heavy client without dealing with form based login.. At one point in time I was able to implement a Java EE application client that authenticated into the container's (agent's) realm using programmatic login and that worked, but I don't suppose your heavy client is actually a Java EE application client..
来源:https://stackoverflow.com/questions/21539197/what-is-the-correct-way-for-a-java-heavy-client-to-authenticate-with-an-openam-p