| JAAS:认证篇[续2] 有论者认为Tomcat Realm机制太理想化,目前When developing your LoginModule, note that JAASRealm's built-in CallbackHandler +only recognizes the NameCallback and PasswordCallback at present.
其实他也不支持自定义CallbackHandle.
那么与其这样,还不如自己通过Servlet,JSP,Action来调用LoginContext.下图为具体的调用结构图.
500)this.width=500'>
目前可采用的几个参考点如下所示:
A: Hibernate LoginModule
Security: JAAS LoginModule
http://hibernate.bluemars.net/139.html
B: 扩展JAAS实现类实例级授权[有示例代码]XML Policy
http://www-128.ibm.com/developerworks/cn/java/j-jaas/
C: Tagish.net 的 LoginModules 地点 http://free.tagish.net/jaas/
目前 tagish.net 提供了几种 LoginModules, 包含了
com.tagish.auth.DBLogin
com.tagish.auth.FileLogin
com.tagish.auth.win32.NTSystemLogin
象Tomcat这样的玩具[robbin语],自然没有支持基于多个Module .
JAAS authentication is performed in a pluggable fashion --
illustrated in Figure 2 -- permitting Java applications to remain
independent from underlying authentication technologies. Applications
enable the authentication process by instantiating a LoginContext object, which in turn references a Configuration to determine the authentication technology, or LoginModule, to perform the authentication. Typical LoginModules
may prompt for and verify a username and password. More sophisticated
authentication schemes may read and verify a voice or a fingerprint,
for example. Later we will examine how multiple authentication schemes
can also provide for stack-based authentication.
500)this.width=500'>
Figure 2. JAAS: Pluggable authentication. (Source: Sun Microsystems)
Modules can be configured via configuration files. A sample entry might look like:
Login1 { sample.SampleLoginModule required debug=true;};
In this case, only one module performs the authentication. An attempt by Login1 to authenticate a Subject will succeed if and only if the SampleLoginModule succeeds.
In the code above, required represents a LoginModuleControlFlag. Let's look at required and its fellow LoginModuleControlFlags in more detail:
required: In this case, the login
module must succeed. Regardless of whether it succeeds or fails,
however, authentication still proceeds down the login module list. requisite: The login module
must succeed. If login succeeds, authentication continues down.
However, if it fails, control returns immediately to the application. sufficient: The module doesn't have to succeed. If it does succeed, control immediately returns to the application.
optional: This login module
doesn't have to succeed. Whether it succeeds or fails, authentication
still proceeds down the login module list.
Stacked authentication can be achieved by a configuration policy containing multiple modules. Here's an example:
Login2 { sample.SampleLoginModule required; com.sun.security.auth.module.NTLoginModule sufficient; com.foo.SmartCard requisite debug=true; com.foo.Kerberos optional debug=true;};
Overall authentication is governed by the individual modules and their LoginModuleControlFlag entry, as illustrated in Table 1. In the figure, p indicates pass, f indicates fail, and * indicates don't care entries.
Login2 验证的各种状况列表
SampleLoginModule
required
pass
pass
pass
pass
fail
fail
fail
fail
NTLoginModule
sufficient
pass
fail
fail
fail
pass
fail
fail
fail
SmartCard
requisite
*
pass
pass
fail
*
pass
pass
fail
Kerberos
optional
*
pass
fail
*
*
pass
fail
*
Overall Authentication
pass
pass
pass
fail
fail
fail
fail
fail
|
