JBOSS中使用Java验证和授权服务jaas(转载)

使用默认安全域

1,通过使用@SecurityDomain 注释为它指定一个安全域:

          例 :@SecurityDomain("other")
2.通过Jboss 发布文件(jboss.xml)进行定义:
          
例 :jboss.xml
                <?xml version="1.0" encoding="UTF-8"?>
               <jboss>
                          <!-- jboss默认是other,可以自定义域,方法为 编辑jboss\server\default\conf下的login-config.xml,添加新的域 -->
                          <security-domain>other</security-domain>
                          <!-- 允许匿名用户@PermitAll 注释定义的资源 -->
                          <unauthenticated-principal>AnonymousUser</unauthenticated-principal>
              </jboss>
             jboss.xml 必须打进Jar 文件的META-INF 目录
以下假设使用第二中方法 (优点:便与移植)
1.先定义users.propertes和roles.properties文件 (必须),放置与ClassPath下;
       users.propertes定义了用户名和密码,格式如下:
       user=pass
       roles.properties定义了角色
       user=Adminstrator,Guest       (多个角色用逗号分开)
       guest=Guest

2.设置EJB的安全域
       @SecurityDomain("other")
       public class SecurityBean implements Security{}

3.业务方法定义访问角色
       @RolesAllowed ({"Adminstrator,Guest"})              <!-- 多个角色用逗号隔开 -->
       public void someMethod(){}
       @PermitAll
       public void allowedInvoke(){}              <!-- @PermitAll 定义所有角色都能访问的方法 -->

打包后的EJB.jar文件格式如下:
EJB.jar
|-com/**/*.class
+-ejbs
| +-Security.class
| +-SecurityBean.class
+-META-INF
| +-jboss.xml
|-users.properties
|-roles.properties

4.配置角色验证模块及对某些URL 进行权限设置,编辑Web应用的web.xml文件
<!-- 下面设置以/user/开头的路径只允许DepartmentUser角色访问-->
    <security-constraint>
              <web-resource-collection>
                            <web-resource-name>Protected Pages</web-resource-name>
                                 <url-pattern>/user/*</url-pattern>
                                 <http-method>GET</http-method>
                                 <http-method>POST</http-method>
                             </web-resource-collection>
                             <auth-constraint>
                                 <role-name>DepartmentUser</role-name>
                             </auth-constraint>
                             <user-data-constraint>
                                   <transport-guarantee>NONE</transport-guarantee>
                             </user-data-constraint>
     </security-constraint>

     <!-- 下面设置以/admin/开头的路径只允许AdminUser角色访问 -->
     <security-constraint>
               <web-resource-collection>
                             <web-resource-name>Protected Pages</web-resource-name>
                             <url-pattern>/admin/*</url-pattern>
                             <http-method>GET</http-method>
                             <http-method>POST</http-method>
               </web-resource-collection>
               <auth-constraint>
                             <role-name>AdminUser</role-name>
               </auth-constraint>
               <user-data-constraint>
                             <transport-guarantee>NONE</transport-guarantee>
               </user-data-constraint>
      </security-constraint>

      <!-- 定义角色 -->
      <security-role>
                <description>Authorized to access everything.</description>
                <role-name>AdminUser</role-name>
      </security-role>
      <security-role>
                <description>Authorized to limited access.</description>
                <role-name>DepartmentUser</role-name>
      </security-role>
      
      <!-- 下面设置登录配置,登录验证由容器负责处理 -->
      <login-config>
             <auth-method>FORM</auth-method>
      <form-login-config>
             <form-login-page>/login.html</form-login-page>
             <form-error-page>/loginFailed.html</form-error-page>
             </form-login-config>
      </login-config>

5.为了使用容器的安全服务,我们需要在jboss-web.xml 定义使用的安全域(例子使用other 域),该文件放置在WEB-INF 目录下
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 2.3V2//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
<jboss-web>
           <security-domain>java:/jaas/other</security-domain>
</jboss-web>


自定义安全域
      
 把用户名/密码及角色存放在users.propertes 和roles.properties 文件,不便于日后的管理。大多数情况下都会把用户名/密码及角色存放在数据库中
1.定义安全域
<!-- 身份验证:数据库登陆模块 -->
    <application-policy name="authenForDatabase">
       <authentication>
           <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                  <!-- 数据源 -->
                  <module-option name="dsJndiName">java:/DefaultMySqlDS</module-option>
                <!-- 通过用户名获得密码 -->
                  <module-option name="principalsQuery">select password from sys_user where name=?</module-option>
                  <!-- 通过用户名获得角色,SQL 中的'Roles'常量字段不能去掉 -->
                  <module-option name="rolesQuery">
                                 select rolename,'Roles' from sys_userrole where username=?
                </module-option>
                <!-- 允许匿名用户(不提供用户名及密码)访问 -->
                  <module-option name = "unauthenticatedIdentity">AnonymousUser</module-option>
           </login-module>
       </authentication>
     </application-policy>

2.修改jboss.xml文件
     <?xml version="1.0" encoding="UTF-8"?>
    <jboss>
             <security-domain>authenForDatabase</security-domain>
              <unauthenticated-principal>AnonymousUser</unauthenticated-principal>
    </jboss>

3.修改jboss-web.xml文件
    <?xml version="1.0" encoding="UTF-8"?>
     <!DOCTYPE jboss-web PUBLIC
     "-//JBoss//DTD Web Application 2.3V2//EN"
     "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
     <jboss-web>
                <security-domain>java:/jaas/authenForDatabase</security-domain>
     </jboss-web>

完工! ^_^

posted @ 2012-11-13 16:14  draem0507  阅读(1718)  评论(0编辑  收藏  举报
View Code