⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 ch09s17.html

📁 详细介绍了jboss3.0的配置等
💻 HTML
📖 第 1 页 / 共 2 页
字号:
🔍
12 
<html><head>
      <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
   <title>Custom LoginModules</title><link rel="stylesheet" href="styles.css" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/styles.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets Vimages/callouts/"><link rel="home" href="index.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/index.html" title="JBoss 3.0 Documentation"><link rel="up" href="ch09.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09.html" title="Chapter 9. JBossSX Security Extension Framework"><link rel="previous" href="ch09s15.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s15.html" title="The Secure Remote Password(SRP) Protocol"><link rel="next" href="ch09s30.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s30.html" title="Examples"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table border="0" cellpadding="0" cellspacing="0" height="65"><tr height="65"><td rowspan="2"><img src="jboss.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/jboss.gif" border="0"></td><td rowspan="2" background="gbar.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/gbar.gif" width="100%" align="right" valign="top"><a href="index.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/index.html"><img src="doc.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/doc.gif" border="0"></a><a href="ch09.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09.html"><img src="toc.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/toc.gif" border="0"></a><a href="ch09s15.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s15.html"><img src="prev.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/prev.gif" border="0"></a><a href="ch09s30.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s30.html"><img src="next.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/next.gif" border="0"></a></td></tr><tr></tr></table><div class="section"><a name="sx.loginmodules"></a><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="sx.loginmodules"></a>Custom LoginModules</h2></div></div><div class="section"><a name="d0e6454"></a><div class="titlepage"><div><h3 class="title"><a name="d0e6454"></a>Bundled LoginModules</h3></div></div><p>This section documents key login module implementations that are bundled with the JBossSX framework. There are two types of login modules; those that run on the client and those that run in the JBoss server. Client side login modules primarily are used to acquire the user identity and credentials that are associated with EJB method invocations. Server side login modules are used to implement the behavior of the JaasSecurityManager and thus perform authentication and role mapping used during authorization.</p><div class="section"><a name="sx.ServerSideLoginModules"></a><div class="titlepage"><div><h4 class="title"><a name="sx.ServerSideLoginModules"></a>Server Side LoginModules</h4></div></div><div class="section"><a name="sx.SubjectPatterns"></a><div class="titlepage"><div><h5 class="title"><a name="sx.SubjectPatterns"></a>LoginModule Subject Usage Patterns</h5></div></div><p>To understand how server side login modules are used in JBoss, you need to understand the information storage features of the JAAS Subject class. There are six ways a one can obtain security information that has been associated with a Subject:</p><div class="itemizedlist"><ul><li><p><a name="d0e6468"></a>java.util.Set getPrincipals()</p></li><li><p><a name="d0e6471"></a>java.util.Set getPrincipals(java.lang.Class c)</p></li><li><p><a name="d0e6474"></a>java.util.Set getPrivateCredentials()</p></li><li><p><a name="d0e6477"></a>java.util.Set getPrivateCredentials(java.lang.Class
					 c)</p></li><li><p><a name="d0e6480"></a>java.util.Set getPublicCredentials()</p></li><li><p><a name="d0e6483"></a>java.util.Set getPublicCredentials(java.lang.Class
					 c)</p></li></ul></div><p>For Subject identities and roles, the most natural choice is to use the Principal Set obtained via getPrincipals() and getPrincipals(java.lang.Class). This is the what JBossSX has choosen to use and the usage pattern is as follows:</p><div class="itemizedlist"><ul><li><p><a name="d0e6489"></a>The identities of a user(username, SSN, employeeID, etc.) are stored as java.security.Principal objects in the Subject Principals set. The roles assigned to a user are also stored in the Principals set, but they are stored in named role sets using java.security.acl.Group instances. The Group interface is a subinterface of java.security.Principal. A Group is a collection of Principals and or Groups. There can be any number of role sets assigned to a Subject. Currently the JBossSX framework uses two well known roles sets named "Roles" and "CallerPrincipal". The "Roles" set is the set of Principals for the named roles as known in the application domain the Subject has been assigned. This role set is used by methods like the EJBContext.isCallerInRole(String) which is used by EJBs to see if the current caller belongs to the named application domain role. The CallerPrincipal role set consists of the Principal identity assigned to the user in the application domain. It is used by the EJBContext.getCallerPrincipal() method to allow the application domain to map from the operation environment identity to a user identity suitable for the application. If a Subject does not have a CallerPrincipal role set then the application identity is that of the operational environment identity.</p></li></ul></div></div><div class="section"><a name="sx.login.AbstractServerLoginModule"></a><div class="titlepage"><div><h5 class="title"><a name="sx.login.AbstractServerLoginModule"></a>org.jboss.security.plugins.AbstractServerLoginModule</h5></div></div><p>The AbstractServerLoginModule is an abstract base class suitable that simplifies writing custom modules for the JBoss server. It implements the Subject to Principals/Groups usage pattern described <a href="ch09s17.html#sx.SubjectPatterns" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s17.html#sx.SubjectPatterns" title="LoginModule Subject Usage Patterns">the section called &#8220;LoginModule Subject Usage Patterns&#8221;</a>. Any custom module you write should be a subclass of AbstractServerLoginModule to ensure that it associates information with the authenticated Subject in a manner consistent with the JBossSX supplied security managers.</p></div><div class="section"><a name="sx.login.JaasServerLoginModule"></a><div class="titlepage"><div><h5 class="title"><a name="sx.login.JaasServerLoginModule"></a>org.jboss.security.plugins.samples.JaasServerLoginModule</h5></div></div><p>The JaasServerLoginModule is a simple properties file based login module that consults two Java Properties
formatted text files for username to password("users.properties") and
username to roles("roles.properties") mapping. The properties files are loaded
during initialization using the thread context class loader. This means that
these files can be placed into the J2EE deployment jar or the JBoss config
directory.

The users.properties file uses a format:<pre class="programlisting">    username1=password1
    username2=password2
    ...</pre>to define all valid usernames and their corresponding passwords.

The roles.properties file uses a format:<pre class="programlisting">    username1=role1,role2,...
    username1.RoleGroup1=role3,role4,...
    username2=role1,role3,...</pre>to define the sets of roles for valid usernames. The "username.XXX" form of
property name is used to assign the username roles to a particular named
group of roles where the XXX portion of the property name is the group name.
The "username=..." form is an abbreviation for "username.Roles=...".
The following are therefore equivalent:<pre class="programlisting">    jduke=TheDuke,AnimatedCharacter
    jduke.Roles=TheDuke,AnimatedCharacter</pre>
					</p></div><div class="section"><a name="sx.login.ProxyLoginModule"></a><div class="titlepage"><div><h5 class="title"><a name="sx.login.ProxyLoginModule"></a>org.jboss.security.ProxyLoginModule</h5></div></div><p>The ProxyLoginModule is a login module that loads a delegate
				LoginModule using the current thread context class loader. The purpose of this
				module is to work around the current JAAS class loader limitation that requires
				LoginModules to be on the classpath. Some LoginModules use core JBoss classes
				that would have to be moved into the jboss-jaas.jar and packaging becomes a
				mess. Instead, these LoginModules are left in the JBoss server classpath in
				jars under lib/ext and the roxyLoginModule is used to bootstrap the
				non-classpath LoginModule.</p></div><div class="section"><a name="sx.login.LdapLoginModule"></a><div class="titlepage"><div><h5 class="title"><a name="sx.login.LdapLoginModule"></a>org.jboss.security.plugins.samples.LdapLoginModule</h5></div></div><p>An implementation of LoginModule that authenticates against an LDAP server using JNDI based on the configuration properties.

The LoginModule options include whatever options your LDAP JNDI provider
support. Examples of standard LDAP JNDI properties include:<div class="variablelist"><dl><dt><a name="d0e6524"></a><span class="term">Context.INITIAL_CONTEXT_FACTORY = "java.naming.factory.initial"</span></dt><dd><p><a name="d0e6527"></a>The classname of the InitialContextFactory implementation</p></dd><dt><a name="d0e6530"></a><span class="term">Context.SECURITY_PROTOCOL = "java.naming.security.protocol"</span></dt><dd><p><a name="d0e6533"></a>The transport protocol to use for secure access, e.g., ssl</p></dd><dt><a name="d0e6536"></a><span class="term">Context.PROVIDER_URL = "java.naming.provider.url"</span></dt><dd><p><a name="d0e6539"></a>The ldap URL for the LDAP server</p></dd></dl></div>Additional LdapLoginModule properties include:<div class="variablelist"><dl><dt><a name="d0e6544"></a><span class="term">principalDNPrefix, principalDNSuffix</span></dt><dd><p><a name="d0e6547"></a>A prefix and suffix to add to the username when forming the user distiguished name. This is useful if you prompt a user for a username and you don't want them to have to enter the fully distinguished name. Using this property and principalDNSuffix the userDN will be formed as:<b>String userDN = principalDNPrefix + username + principalDNSuffix;</b>
									</p></dd><dt><a name="d0e6553"></a><span class="term">useObjectCredential</span></dt><dd><p><a name="d0e6556"></a>indicates that the credential should be obtained as an opaque Object using the org.jboss.security.auth.callback.ObjectCallback type of Callback rather than as a char[] password using a JAAS PasswordCallback.</p></dd><dt><a name="d0e6559"></a><span class="term">rolesCtxDN</span></dt><dd><p><a name="d0e6562"></a>The distinguished name to the context to search for user roles.</p></dd><dt><a name="d0e6565"></a><span class="term">roleAttributeName</span></dt><dd><p><a name="d0e6568"></a>The name of the attribute that contains the user roles.</p></dd><dt><a name="d0e6571"></a><span class="term">uidAttributeName</span></dt><dd><p><a name="d0e6574"></a>The name of the attribute that in the object containing the user roles that corresponds to the userid. This is used to locate the  user roles.</p></dd></dl></div>The Context.SECURITY_PRINCIPAL is set to the distinguished name of the user as obtained by the callback handler and the Context.SECURITY_CREDENTIALS
12

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -