我希望保护我的webapp在WildFly 9服务器上运行。
我有一个包含2个表users(login, password)和roles(login, role)的SQL数据库。
首先,我配置了这样的BASIC身份验证:
standalone.xml:
<security-domain name="mydomain" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/myDS"/>
<module-option name="principalsQuery" value="select password from users where login=?"/>
<module-option name="rolesQuery" value="select role, 'Roles' from roles where login=?"/>
</login-module>
</authentication>
</security-domain>
的web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>name</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
的JBoss-web.xml中:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/mydomain</security-domain>
</jboss-web>
它运行正常,但这是一种不好的做法,因为密码是通过网络清晰发送的,并以相同的方式存储在数据库中。所以我试着改变BASIC for DIGEST:
standalone.xml:添加了一些选项模块
<security-domain name="mydomain" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/myDS"/>
<module-option name="principalsQuery" value="select password from users where login=?"/>
<module-option name="rolesQuery" value="select role, 'Roles' from roles where login=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="RFC2617"/>
<module-option name="hashUserPassword" value="false"/>
</login-module>
</authentication>
</security-domain>
web.xml:更改了login-config部分
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>
但我有这个错误:
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=dsJndiName, value=java:jboss/datasources/proxysnmpDS
name=principalsQuery, value=select passwd from LOGIN where login=?
name=hashUserPassword, value=false
name=rolesQuery, value=select role, 'Roles' from USER_ROLES where login=?
name=hashEncoding, value=RFC2617
name=hashAlgorithm, value=MD5
15:03:06,676 TRACE [org.jboss.security 137] (default task-2) PBOX00236: Begin initialize method
15:03:06,676 DEBUG [org.jboss.security 154] (default task-2) PBOX00281: Password hashing activated, algorithm: MD5, encoding: RFC2617, charset: null, callback: null, storeCallBack: null
15:03:06,676 TRACE [org.jboss.security 133] (default task-2) PBOX00262: Module options [dsJndiName: java:jboss/datasources/proxysnmpDS, principalsQuery: select passwd from LOGIN where login=?, rolesQuery: select role, 'Roles' from USER_ROLES where login=?, suspendResume: true]
15:03:06,676 TRACE [org.jboss.security 186] (default task-2) PBOX00240: Begin login method
15:03:06,682 TRACE [org.jboss.security 182] (default task-2) PBOX00263: Executing query select passwd from LOGIN where login=? with username admin
15:03:06,693 DEBUG [org.jboss.security 287] (default task-2) PBOX00283: Bad password for username admin
15:03:06,694 TRACE [org.jboss.security 269] (default task-2) PBOX00244: Begin abort method, overall result: false
15:03:06,694 DEBUG [org.jboss.security 368] (default task-2) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.9.2.Final.jar:4.9.2.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_60]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_60]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_60]
...
我认为是因为从webapp登录系统收到的哈希密码和数据库中的哈希密码不一样。我在数据库中的哈希密码是login:realm:password的MD5。
有人可以告诉我出了什么问题吗?