REST安全实践·4.JAASRealm+FORM认证
?
mysql -uroot -p < security.sql
$CATALINA_BASE/conf/server.xml
<Context docBase="security-rest" ……> <Realm className="org.apache.catalina.realm.JAASRealm" appName="RestJaasRealm" roleClassNames="com.example.jaas.RestRolePrincipal" userClassNames="com.example.jaas.RestUserPrincipal"/></Context>
Realm定义在context中,否则会导致roleClassNames和userClassNames中定义的类找不到。appName定义的名字和restJaas.conf中定义的须一致。
Eclipse内置Tomcat配置?
/security-rest/src/main/resources/restJaas.conf
RestJaasRealm{ com.example.jaas.RestLoginModule required;};
第二参数取值和含义
jax-rs2-guide\sample\6\security-rest\src\main\java\com\example\jaas>ls -l
-Djava.security.auth.login.config="D:\+aries\github\jax-rs2-guide\sample\6\security-rest\src\main\resources\restJaas.conf"
Eclipse内置Tomcat 虚拟机参数设置?
$CATALINA_HOME/lib
M2_REPO/mysql/mysql-connector-java/5.1.25/mysql-connector-java-5.1.25.jar
/security-rest/src/main/webapp/WEB-INF/web.xml
<security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>UPDATE</http-method> <http-method>DELETE</http-method> </web-resource-collection> <web-resource-collection> <url-pattern>/webapi/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>UPDATE</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint></security-constraint><security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <web-resource-collection> <url-pattern>/webapi/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint></security-constraint><login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> </form-login-config></login-config><welcome-file-list> <welcome-file>/index.html</welcome-file></welcome-file-list>
<form action="j_security_check"> <div> <span>User Name</span> <input id="j_username" name="j_username" type="text" /> </div> <div style="margin-top:10px;margin-bottom:10px;"> <span>Pass Word</span> <input id="j_password" name="j_password" type="password" /> </div> <input type="submit" value="Sign In" /></form>
在JAASRealm.authenticate认证方法中,有两个主要对象:
认证分为两个步骤:
验证登录信息合法性 对应login方法?
获取登录身份信息 对应commit方法?