我已经创建了一个自定义LoginModule来验证mongoDB集合中的用户。就我而言,我每页需要一个角色...... 我已经在JSF中使用了JAAS身份验证,但在这种情况下,它没有按预期工作......它始终返回403错误(禁止)。 URL的映射显然是可以的。
那是我的网页层次结构:
按照我的配置:
的JBoss-web.xml中
<jboss-web>
<security-domain>nfceSecurityDomain</security-domain>
<disable-audit>true</disable-audit>
</jboss-web>
的web.xml
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/app/login.html</form-login-page>
<form-error-page>/app/login_error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>VISUALIZAR_NOTAS</role-name>
</security-role>
<security-role>
<role-name>GESTAO_CERTIFICADO</role-name>
</security-role>
<security-role>
<role-name>GESTAO_EMPRESA</role-name>
</security-role>
<security-role>
<role-name>DOWNLOAD_XML</role-name>
</security-role>
<security-role>
<role-name>INUTILIZACAO</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>index</web-resource-name>
<url-pattern>/app/index.html</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>VISUALIZAR_NOTAS</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>orderList</web-resource-name>
<url-pattern>/app/pages/orderlist.html</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>VISUALIZAR_NOTAS</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>certificateConfigurations</web-resource-name>
<url-pattern>/app/pages/certifiedlist.html</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>GESTAO_CERTIFICADO</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>enterpriseConfigurations</web-resource-name>
<url-pattern>/app/pages/enterpriselist.html</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>GESTAO_EMPRESA</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>xmlDownload</web-resource-name>
<url-pattern>/app/pages/orderdownload.html</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DOWNLOAD_XML</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>invalidate</web-resource-name>
<url-pattern>/app/pages/orderInvalidate.html</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>INUTILIZACAO</role-name>
</auth-constraint>
</security-constraint>
standalone.xml
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="nfceSecurityDomain" cache-type="default">
<authentication>
<login-module code="br.com.ciss.nfce.security.JAASLoginModule" flag="required"/>
</authentication>
</security-domain>
</security-domains>
</subsystem>
这是我的LoginModule实现,用于从MongoDB获取用户和角色:
public class JAASLoginModule implements LoginModule {
private static final Logger LOG = Logger.getLogger(JAASLoginModule.class);
private Subject subject;
private CallbackHandler callbackHandler;
private Map sharedState;
private Map options;
private boolean succeeded = false;
private boolean commitSucceeded = false;
private String username = null;
private String _idUser = "";
private char[] password = null;
private Principal userPrincipal = null;
private Principal passwordPrincipal = null;
private ConnectionMongoUtil connectionMongoUtil;
public JAASLoginModule() {
super();
}
@Override
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState, Map<String, ?> options) {
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
this.options = options;
}
@Override
public boolean login() throws LoginException {
if (callbackHandler == null) {
throw new LoginException("Error: no CallbackHandler available "
+ "to garner authentication information from the user");
}
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("username");
callbacks[1] = new PasswordCallback("password: ", false);
try {
callbackHandler.handle(callbacks);
username = ((NameCallback) callbacks[0]).getName();
password = ((PasswordCallback) callbacks[1]).getPassword();
if (username == null || password == null) {
LOG.error("Callback handler does not return login data properly");
throw new LoginException(
"Callback handler does not return login data properly");
}
if (isValidUser()) { // validate user.
succeeded = true;
return true;
}
} catch (IOException e) {
e.printStackTrace();
} catch (UnsupportedCallbackException e) {
e.printStackTrace();
}
return false;
}
@Override
public boolean commit() throws LoginException {
if (succeeded == false) {
return false;
} else {
userPrincipal = new JAASUserPrincipal(username);
if (!subject.getPrincipals().contains(userPrincipal)) {
subject.getPrincipals().add(userPrincipal);
LOG.debug("User principal added:" + userPrincipal);
}
passwordPrincipal = new JAASPasswordPrincipal(new String(password));
if (!subject.getPrincipals().contains(passwordPrincipal)) {
subject.getPrincipals().add(passwordPrincipal);
LOG.debug("Password principal added: " + passwordPrincipal);
}
List<String> roles = getRoles();
for (String role : roles) {
Principal rolePrincipal = new JAASRolePrincipal(role);
if (!subject.getPrincipals().contains(rolePrincipal)) {
subject.getPrincipals().add(rolePrincipal);
LOG.debug("Role principal added: " + rolePrincipal);
}
}
commitSucceeded = true;
LOG.info("Login subject were successfully populated with principals and roles");
return true;
}
}
@Override
public boolean abort() throws LoginException {
if (succeeded == false) {
return false;
} else if (succeeded == true && commitSucceeded == false) {
succeeded = false;
username = null;
if (password != null) {
password = null;
}
userPrincipal = null;
} else {
logout();
}
return true;
}
@Override
public boolean logout() throws LoginException {
subject.getPrincipals().remove(userPrincipal);
succeeded = false;
succeeded = commitSucceeded;
username = null;
if (password != null) {
for (int i = 0; i < password.length; i++) {
password[i] = ' ';
password = null;
}
}
userPrincipal = null;
return true;
}
private boolean isValidUser() throws LoginException {
try {
BasicDBObject search = new BasicDBObject();
search.put("email", username);
connectionMongoUtil = new ConnectionMongoUtil();
DBObject user = connectionMongoUtil.getCollection("User").findOne(search);
if (user == null){
LOG.debug("USUÁRIO NÃO LOCALIZADO!");
return false;
}else{
if ( new String(password).equals(user.get("password"))){
_idUser = user.get("_id").toString();
return true;
}else{
LOG.debug("SENHA INVÁLIDA PARA O USUÁRIO " + username);
}
}
return false;
} catch (Exception e) {
LOG.error("Error when loading user " + username + " from the database \n", e);
}
return false;
}
/**
* Returns list of roles assigned to authenticated user.
*
* @return
*/
private List<String> getRoles() {
BasicDBObject search = new BasicDBObject();
search.put("_idUser", _idUser);
DBObject userModules = connectionMongoUtil.getCollection("UserModules").findOne(search);
String jsonArrayModules = userModules.get("_idModules").toString();
String[] modules = null;
try {
modules = new ObjectMapper().readValue(jsonArrayModules, String[].class);
} catch (IOException e) {
e.printStackTrace();
}
List<String> modulesList = new ArrayList<String>();
for (String _idModule : modules) {
DBObject module = connectionMongoUtil.getCollection("Module").findOne(new BasicDBObject("_id", new ObjectId(_idModule)));
if (module != null){
modulesList.add(module.get("name").toString());
}
}
return modulesList;
}
}
我在standalone.xml中添加了以下属性,以查看JAAS生成的日志,并且没有任何错误日志......
<logger category="org.jboss.security">
<level name="ALL"/>
</logger>
在我的MongoDB馆藏中,我已将所有角色添加到我的用户,当我尝试登录时,我可以登录,但所有页面都被锁定,返回403错误。
任何人都可以帮助我吗? 也许它只是一个导致403错误的细节...
感谢您的关注!
答案 0 :(得分:0)
解决这种情况的唯一方法是通过Spring Security更改JAAS:)
答案 1 :(得分:0)
您是否尝试在wildfly中部署模块? http://www.mastertheboss.com/jboss-server/jboss-security/configuring-a-mongodb-login-module
答案 2 :(得分:0)
我知道这是一个旧线程,但仍然没有一个好的解决方案。
我遇到了同样的问题...
某些情境: 我有一个健康的&#34;使用JAAS(直接实现javax.security.auth.spi.LoginModule)在Tomcat7上顺利运行的java web应用程序。 然后客户要求进入现场:&#34;它必须在JBoss 7.1.1和#34; WTF?即使是次要版本和补丁!?!
动手: 所以我做了所有的配置,在Java 8代码和JAX-RS方面有一些缺点,但这是另一个故事,最后我的应用程序在JBoss 7.1.1中成功部署。
<强>问题: 我可以在控制台中看到登录成功,但所有请求都返回HTTP 403。
调试所有Principal(CallerPrincipal和UserRoles)时都没问题。
此外,我有一个用于编排的单一抽象BaseServlet,并且所有请求都应该遍历,但HTTP 403在到达之前就已经出现...
<强>解决方案: 所以我注意到所有关于JAAS的JBoss文档都建议开发人员扩展他们的自定义LoginModule,所以我开始挖掘。
org.jboss.security.auth.spi.AbstractServerLoginModule使用他们所称的&#34; JBossSX标准存储身份和角色的主题使用模式&#34;。
我没有那么深刻地解释这种模式,但我已经重新评估了JBossWebRealm&#39;在容器端包装身份验证过程需要一个名为&#34;角色&#34;的java.security.acl.Group实现。包含所有Principals(CallerPrincipal和UserRoles)作为成员( JAASRealm的成员资格)。
此对象用于安全检查。
故事结束,我已将此方法添加到我的LoginModule实现中:
public boolean commit() throws LoginException {
// some validation code here
Set<Principal> principals = subject.getPrincipals();
// ensure principals contains (CallerPrincipal and UserRoles)
createRolesGroup(principals);
return true;
}
private void createRolesGroup(Set<Principal> principals) {
// Thee java.security.acl.Group implementation
SecurityGroup rolesGroup = new SecurityGroup("Roles");
Iterator<Principal> iter = principals.iterator();
while(iter.hasNext()) {
Object principal = iter.next();
if(!(principal instanceof Group)){
rolesGroup.addMember((Principal)principal);
}
principals.add(rolesGroup);
}
就像魅力一样。
希望它有所帮助。