security5.html

j2eePDF格式的电子书

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
    <meta http-equiv="Content-Style-Type" content="text/css" />
    <title>Using Login Authentication</title>
    <link rel="StyleSheet" href="document.css" type="text/css" media="all" />
    <link rel="StyleSheet" href="catalog.css" type="text/css" media="all" />
    <link rel="Table of Contents" href="J2EETutorialTOC.html" />
    <link rel="Previous" href="Security4.html" />
    <link rel="Next" href="Security6.html" />
    <link rel="Index" href="J2EETutorialIX.html" />
  </head>

  <body>

    <table width="550" summary="layout" id="SummaryNotReq1">
      <tr>
	<td align="left" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/download.html#tutorial" target="_blank">Download</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/faq.html" target="_blank">FAQ</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/history.html" target="_blank">History</a>
	</td>
        <td align="center" valign="center">
<a accesskey="p" href="Security4.html"><img id="LongDescNotReq1" src="images/PrevArrow.gif" width="26" height="26" border="0" alt="Prev" /></a><a accesskey="c" href="J2EETutorialFront.html"><img id="LongDescNotReq1" src="images/UpArrow.gif" width="26" height="26" border="0" alt="Home" /></a><a accesskey="n" href="Security6.html"><img id="LongDescNotReq3" src="images/NextArrow.gif" width="26" height="26" border="0" alt="Next" /></a><a accesskey="i" href="J2EETutorialIX.html"></a>
        </td>
	<td align="right" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/docs/api/index.html" target="_blank">API</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/search.html" target="_blank">Search</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/sendusmail.html" target="_blank">Feedback</a></font>
	</font>
	</td>
      </tr>
    </table>

    <img src="images/blueline.gif" width="550" height="8" ALIGN="BOTTOM" NATURALSIZEFLAG="3" ALT="Divider">

    <blockquote>
<a name="wp182253"> </a><h2 class="pHeading1">
Using Login Authentication
</h2>
<a name="wp158998"> </a><p class="pBody">
When you try to access a protected Web resource, the Web container activates the authentication mechanism that has been configured for that resource. With a Web Application selected in the <code class="cCode">deploytool</code> tree, select the Security tabbed pane and select one of the following User Authentication Methods:
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp80617"> </a><div class="pSmartList1"><li><code class="cCode">None</code></li></div>
<a name="wp80618"> </a><p class="pBodyRelative">
If you do not specify one of the following methods, the user will not be authenticated.
</p>
<a name="wp80619"> </a><div class="pSmartList1"><li><code class="cCode">Basic</code></li></div>
<a name="wp159044"> </a><p class="pBodyRelative">
If you specify <em class="cEmphasis">HTTP basic authentication,</em> the Web server will authenticate a user by using the user name and password obtained from the Web client. HTTP basic authentication is not particularly secure. Basic authentication sends user names and passwords over the Internet as text that is uu-encoded, but not encrypted. This form of authentication, which uses Base64 encoding, can expose your user names and passwords unless all connections are over SSL. If someone can intercept the transmission, the user name and password information can easily be decoded. An example application that uses HTTP Basic Authentication in a JAX-RPC service is described in <a  href="Security7.html#wp156943">Example: Basic Authentication with JAX-RPC</a>.
</p>
<a name="wp159049"> </a><div class="pSmartList1"><li><code class="cCode">Form-based</code> </li></div>
<a name="wp159051"> </a><p class="pBodyRelative">
If you specify <em class="cEmphasis">form-based authentication</em>, you can customize the login screen and error pages that are presented to the end user by an HTTP browser.
</p>
<a name="wp159025"> </a><p class="pBodyRelative">
Form-based authentication is not particularly secure. In form-based authentication, the content of the user dialog is sent as plain text, and the target server is not authenticated. This form of authentication can expose your user names and passwords unless all connections are over SSL. If someone can intercept the transmission, the user name and password information can easily be decoded. An example application using form-based authentication is included in the tutorial and is discussed in <a  href="Security5.html#wp303355">Example: Using Form-Based Authentication</a>.
</p>
<a name="wp92209"> </a><div class="pSmartList1"><li><code class="cCode">Client-Certificate</code></li></div>
<a name="wp160395"> </a><p class="pBodyRelative">
<span style="font-style: italic">Client-certificate authentication </span>is a more secure method of authentication than either basic or form-based authentication. It uses HTTP over SSL, in which the server and, optionally, the client authenticate one another with Public Key Certificates. <span style="font-style: italic">Secure Sockets Layer</span> (SSL) provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. You can think of a <span style="font-style: italic">public key certificate</span> as the digital equivalent of a passport. It is issued by a trusted organization, which is called a <span style="font-style: italic">certificate authority</span> (CA), and provides identification for the bearer. If you specify<em style="font-style: italic" class="cEmphasis"> </em><span style="font-style: normal">client-certificate authentication</span>, the Web server will authenticate the client using the client's <span style="font-style: italic">X.509 certificate</span>, a public key certificate that conforms to a standard that is defined by X.509 Public Key Infrastructure (PKI). Prior to running an application that uses SSL, you must configure SSL support on the server (see <a  href="Security6.html#wp80702">Installing and Configuring SSL Support</a>) and set up the public key certificate (see <a  href="Security6.html#wp80737">Setting Up Digital Certificates</a>). An example application that uses <code class="cCode">CLIENT-CERT</code> authentication is discussed in <a  href="Security7.html#wp129121">Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC</a>.
</p>
</ul></div>
<a name="wp160345"> </a><p class="pBody">
To configure the authentication mechanism that the Web resources in a WAR will use, select the WAR in the <code class="cCode">deploytool</code> tree, and select the Security tabbed pane, then proceed as follows:
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp80646"> </a><div class="pSmartList1"><li>Specify one of the User Authentication Methods described above.</li></div>
<a name="wp80648"> </a><div class="pSmartList1"><li>Specify a security realm. If omitted, the <code class="cCode">file</code> realm is assumed. Select the Settings button beside the User Authentication Mechanism field to specify the realm.</li></div>
<a name="wp80649"> </a><div class="pSmartList1"><li>If the authentication method is specified as Form-based, specify a form login page and form error page. Select the Settings button beside the User Authentication Mechanism field to specify the Login Page and the Error Page to be used for form-based authentication.</li></div>
</ul></div>
<a name="wp303355"> </a><h3 class="pHeading2">
Example: Using Form-Based Authentication
</h3>
<a name="wp308819"> </a><p class="pBody">
In this section, we discuss how to add form-based authentication to a basic JSP page. With <em class="cEmphasis">form-based authentication</em>, you can customize the login screen and error pages that are presented to the Web client for authentication of their user name and password. If the topic of authentication is new to you, please refer to the section titled <a  href="Security5.html#wp182253">Using Login Authentication</a>.
</p>
<a name="wp279390"> </a><p class="pBody">
The example application discussed in this tutorial can be found in <code class="cCode">&lt;</code><code class="cVariable">INSTALL</code><code class="cCode">&gt;/j2eetutorial14/examples/security/formbasedauth/</code>. In general, the following steps are necessary to add form-based authentication to a Web client. In the example application included with this tutorial, most of these steps have been completed for you and are listed here expressly for the purpose of listing what needs to be done should you wish to create a similar application outside of this tutorial.
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp279392"> </a><div class="pSmartList1"><li>Map the role name to the appropriate users and groups defined for the J2EE 1.4 Application Server. See <a  href="Security5.html#wp159083">Adding Authorized Users</a> for more information on needed modifications.</li></div>
<a name="wp279470"> </a><div class="pSmartList1"><li>Edit the <code class="cCode">build.properties</code> files. The <code class="cCode">build.properties</code> file needs to be modified because the properties in this file are specific to your installation of the J2EE 1.4 Application Server and J2EE 1.4 Tutorial. See <a  href="WebApp3.html#wp213795">Setting Up To Build and Deploy Tutorial Examples</a> for information on which properties need to be set.</li></div>
<a name="wp279456"> </a><div class="pSmartList1"><li>Create the Web client. For this example, the Web client, a very simple JSP page, is already created. The client is discussed in <a  href="Security5.html#wp279492">Creating a Web Client for Form-Based Authentication</a>.</li></div>
<a name="wp279479"> </a><div class="pSmartList1"><li>Create the login form and login error form pages. For this example, these files are already created. These pages are discussed in <a  href="Security5.html#wp279877">Creating the Login Form and Error Page</a>.</li></div>
<a name="wp279478"> </a><div class="pSmartList1"><li>Add the appropriate security elements using <code class="cCode">deploytool</code>. See <a  href="Security5.html#wp280108">Specifying Security Elements for Form-Based Authentication</a> for information on which settings need to be made.</li></div>
<a name="wp279406"> </a><div class="pSmartList1"><li>Build, package, deploy, and run the Web application (see <a  href="Security5.html#wp304671">Building, Packaging, Deploying, and Running the Form-Based Authentication Example</a>). You will use the <code class="cCode">asant</code> tool to compile and install the example application.</li></div>
</ul></div>
<a name="wp159083"> </a><h4 class="pHeading3">
Adding Authorized Users
</h4>
<a name="wp279504"> </a><p class="pBody">
This example application authorizes the role of <code class="cCode">loginUser.</code> In order to specify which users can assume that role and access the protected parts of the application, you must map the role to users and groups defined for the J2EE 1.4 Application Server. Information on adding users and groups using the Admin Console is discussed in <a  href="Security3.html#wp299910">Managing Users</a> 
</p>
<a name="wp279512"> </a><p class="pBody">
When the Application Server is started, it reads the settings in its configuration files. When a constrained resource is accessed, the Application Server verifies that the user name and password are authorized to access that resource before granting access to the requestor. The roles that are authorized to access a resource are specified in the security constraint for this application.
</p>
<a name="wp304751"> </a><p class="pBody">
Information for adding users to the J2EE 1.4 Application Server is provided in <a  href="Security3.html#wp299910">Managing Users</a>. For this example, create a new user and assign that user to the group <code class="cCode">loginUser</code>. 
</p>
<a name="wp279492"> </a><h4 class="pHeading3">
Creating a Web Client for Form-Based Authentication
</h4>
<a name="wp279861"> </a><p class="pBody">
The Web client is a standard JSP page. None of the code that adds form-based authentication to the example is included in the Web client. The information that adds the form-based authentication to this example is specified in the deployment descriptor, which is created with <code class="cCode">deploytool</code>. The code for the JSP page used in this example, <code class="cCode">formbasedauth/web/index.jsp</code>, is listed below. The running application is shown in <a  href="Security5.html#wp295013">Figure 27-2</a>.
</p>
<div class="pPreformattedRelative"><pre class="pPreformattedRelative">
&lt;html&gt;
&lt;head&gt;&lt;title&gt;Hello&lt;/title&gt;&lt;/head&gt;
&lt;body bgcolor=&quot;white&quot;&gt;

&lt;img src=&quot;duke.waving.gif&quot;&gt;
&lt;h2&gt;My name is Duke.&lt;/h2&gt;
&lt;h2&gt;&lt;font color=&quot;black&quot;&gt;Hello,
&nbsp;&nbsp;&nbsp;${pageContext.request.userPrincipal.name}!&lt;/font&gt;&lt;/h2&gt;
&lt;/body&gt;
&lt;/html&gt;<a name="wp279875"> </a>