使用JDBC领域进行身份验证

时间:2015-12-26 21:10:32

标签: java jsp java-ee jdbc jdbcrealm

在我的Java EE应用程序中,我通过JDBC Realm实现了身份验证/自动化(我第一次应用此解决方案)。

以下代码在成功登录时没有任何问题,问题是当我输入错误的凭据时:无论如何它都会登录,即使它捕获了ServletException(登录失败),这些代码行也永远不会执行(尝试在调试模式):

  

request.setAttribute(" msg","登录错误");

     

nextPage =" /errorPage.jsp" ;;

另一件奇怪的事情:无论我传给什么

  

getServletContext()方法。的getRequestDispatcher(下一页)的.forward(请求,   响应);

作为nextPage(我试图静态地放置" /errorPage.jsp"),它总是转发到index.jsp。

的Login.jsp 

 @WebServlet("/Login")
    public class Login extends HttpServlet {
        private static final long serialVersionUID = 1L;

/**
 * @see HttpServlet#HttpServlet()
 */
public Login() {
    super();
    // TODO Auto-generated constructor stub
}

/**
 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
 */
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    // TODO Auto-generated method stub
}

/**
 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
 */
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

    String username = request.getParameter("username").trim();
    String password = request.getParameter("password").trim();
    String nextPage = "/index.jsp";

    try {
        request.login(username, password);
    } 
    catch (ServletException ex) { 
        request.setAttribute("msg", "Error in login");
        nextPage = "/errorPage.jsp";
    }

        getServletContext().getRequestDispatcher(nextPage).forward(request, response);
    }
}

的login.jsp 

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%
    request.logout();
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Welcome</title>
</head>
<body>
    <h1>Hi! You need to login.</h1>
    <form method="POST" action="/MyApp/Login">
        Usuario: <input type="text" name="username" /> Password: <input
            type="password" name="password" /> <input type="submit"
            value="Send" />
    </form>
</body>
</html>

的web.xml 

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">
    <display-name>MyApp</display-name>
    <welcome-file-list>
        <welcome-file>login.jsp</welcome-file>
    </welcome-file-list>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>jdbcRealm</realm-name>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/errorPage.jsp</form-error-page>
        </form-login-config>
    </login-config>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admin stuff</web-resource-name>
            <url-pattern>/admin/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>User stuff</web-resource-name>
            <url-pattern>/user/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>user</role-name>
    </security-role>
</web-app>

在此之前,我尝试了container-managed security解决方案(使用登录&#39; s形式操作调用j_security_check组件)。

登录可以正常使用(即使使用了错误的凭据),但我还遇到了另一个我以前没有的严重问题:在其中一个用例中,用户可以看到项目正在进行但是它不应该&# 39;能够看到其他用户&#39;项目。我使用以下servlet实现了这个,但问题是(像其他解决方案一样)它跳过了一些指令(例如,在DB中查找用户的指令)并且它进入异常,重定向到错误页。

public class ViewUserProjects extends HttpServlet {
    private static final long serialVersionUID = 1L;

    public ViewUserProjects() {
        super();
        // TODO Auto-generated constructor stub
    }

    protected void doGet(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {
        DAO dao = (DAO) getServletContext().getAttribute("bd");

        Principal p = request.getUserPrincipal();
        String username = p.getName();

        try {
            User user = dao.getUserByName(name);
            request.getSession().setAttribute("user", user);

            ArrayList<Project> projects = new ArrayList<Project>();

            tareas = ad.getUserProjects(Integer.parseInt(user.getId()));

            request.setAttribute("projects", projects);

            getServletContext().getRequestDispatcher(
                    "/user/viewProjects.jsp").forward(request,
                            response);
        } catch (Exception ex) {
            request.setAttribute("msg",
                    "Error");
            getServletContext().getRequestDispatcher("/errorPage.jsp").forward(
                    request, response);
        }
    }

    protected void doPost(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {
        // TODO Auto-generated method stub
    }

}

2 个答案:

答案 0 :(得分:2)

使用JDBCRealm时,更好的做法是将container-managed security用于应用authentication/authorization,而不是从您的应用代码处理此问题(您正在进行此操作)

所以我们允许服务器来处理这个问题,这意味着根据Servlet Specification使用form-based authentication(您使用的)将是这样的:

首先是表格:

<form action="j_security_check" method="POST">
    Username:<input type="text" name="j_username" placeholder="Username" />
    Password:<input type="password" name="j_password" placeholder="Password" />
    <input type="submit" value="Log In" />
</form>

然后在我们的Deployment Descriptor中,我们必须添加一些您似乎已经拥有的配置,但这是另一个示例:

注意我相信您正在使用<error-page>标记,我们使用403错误Forbidden resource 

<security-constraint>
    <display-name>securityConstraint1</display-name>
    <web-resource-collection>
        <web-resource-name>resources</web-resource-name>
        <description />
        <url-pattern>/protected/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>appUser</role-name>
        <role-name>appAdmin</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <display-name>securityConstraint2</display-name>
    <web-resource-collection>
        <web-resource-name>resources</web-resource-name>
        <description />
        <url-pattern>/protected/admni/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>appAdmin</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>appRealm</realm-name>
    <form-login-config>
        <form-login-page>/index.xhtml</form-login-page>
        <form-error-page>/public/forbidden.xhtml</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <role-name>appUser</role-name>
</security-role>

<security-role>
    <role-name>appAdmin</role-name>
</security-role>   

<error-page>
    <error-code>403</error-code>
    <location>/public/forbidden.xhtml</location>
</error-page>

我们忘记了Data Protection(你已经拥有):

<user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

所以现在我们需要为应用程序定义ROLES,这首先在应用程序服务器中定义的映射组中完成。 ¿您使用的是哪个应用服务器?

以下是使用GlassFish

的示例

我们需要添加glassfish-web.xmlsun-web.xml 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">

    <security-role-mapping>
        <role-name>appUser</role-name>
        <group-name>1</group-name>
    </security-role-mapping>

    <security-role-mapping>
        <role-name>appAdmin</role-name>
        <group-name>2</group-name>
    </security-role-mapping>

  <class-loader delegate="true"/>
  <jsp-config>
    <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
  </jsp-config>
</sun-web-app>

因此,角色将映射到real repository中存在的实际组名。 (这是直接在您的应用服务器上创建的。)

要使其生效,我们需要在TABLE中创建DB,以便定义用户组。

此处的Realm是在Server Admin Console

中创建的

在GlassFish中转到:

配置&gt;&gt; Server-Config&gt;&gt;安全&gt;&gt;领域

这是领域配置的一个例子。

JDBCRealm

答案 1 :(得分:-1)

您在哪里检查从表单输入中输入的用户名和密码是否正确。您是通过查询数据库进行身份验证还是通过匹配代码中设置的用户名和密码值进行身份验证?我相信这会给你一个线索。确保来自表单输入的用户名和密码与代码中设置的用户名和密码相匹配。如果您有任何其他问题,请告诉我。如果这样可以解决您的问题,请将其标记为正确答案

 response.setContentType("text/html");
    String msg = " ";

    String username = request.getParameter("username");
    String password = request.getParameter("password");
    try {

if (username.equals("nick") && password.equals("nick_password")) {


            nextPage = "HELLO" + username + "! Your login is SUCESSFULL";

        } else {
            nextPage = "HELLO" + username + "!Your login is UNSUCESSFULL";
        }

}// close try
相关问题
最新问题