我的网络应用程序使用salted, digested passwords container managed authentication加以保护。我希望通过service in JNDI处理密码突变/验证来减少与当前容器的耦合。我是在追求这样的事情:
/**
* A service for mutating passwords with salt.
* Note that the same password should yield different mutations every time.
*/
public interface PasswordMutationService {
/**
* Mutates the given password for storage purposes.
* The 'salt' must be coded into the result so that it can be extracted later.
*/
String mutatePassword(String password);
/**
* Confirm the given password was used to create the given stored mutation.
*
* @param candidatePassword The password supplied by a user that wants to be authenticated.
* @param storedMutatedPassword A mutation of the users password retrieved from storage.
*/
boolean verifyMutatedPassword(String candidatePassword, String storedMutatedPassword);
}
您是否知道提供此界面的API,因此我不必编写和管理自己的界面?我很难相信它不在Java EE的某个地方。
注意:我不是在拥有already been done的Tomcat王国之后。我也不需要实施is done too。
答案 0 :(得分:0)
要将我的应用程序与密码摘要实现分离,我实际上只需要一种方法:
String mutatePassword(String password)
容器插件可以耦合到摘要实现而不会造成太大的伤害,因此它不需要'verifyMutatedPassword()'在接口上。
在浏览了一些JDK7 API之后,我找到了something that could do the job(如果你不容易被冒犯):
public interface Provider<T> {
public T invoke(T request);
}
这意味着我的应用可以使用以下内容进入password mutation
InitialContext ctx = new InitialContext();
passwordMutator = (Provider<String>) ctx.lookup("java:comp/env/bean/appPasswordMutator");
密码变异和安全领域的tomcat容器配置是:
<Resource name="bean/appPasswordMutator" auth="Container"
factory="org.apache.naming.factory.BeanFactory"
type="pkg.PasswordMutator"
seedNumBytes="8"
keyNumBits="160"
digestIterationCount="10000"
singleton="true"/>
<Realm className="pkg.PasswordMutationRealm"
userCredCol="usercred"
passwordMutatorName="bean/appPasswordMutator"
localPasswordMutator="true"
localDataSource="true"
dataSourceName="jdbc/appDb"
userTable="usercred"
userNameCol="username"
userRoleTable="userrole"
roleNameCol="userrole"/>
我的SVN回购中提供了一个工作演示: https://subversion.assembla.com/svn/freshcode_public/learn/tomcat-maven-plugin (参见READ_ME.txt文件)