Custom Security mechanism in Java EE 6/7 application

StackOverflow https://stackoverflow.com/questions/21588836

Question

I would like to create (implement by my own) authentication mechanism which will be plugged into my Java EE application.

As far as I know I have to implement LoginModule and connect this implementation with container mechanisms somehow. But the problem is that I don't know how to do it. Maybe You know where I can find sample code or tutorial about it?

In other words I would like to force container to call my classes whenever methods: authenticate, login, and logout are called.

Sample implementation: HttpServletRequest.login method will successfully authenticate only users with even numer of letters in login.

Était-ce utile?

La solution 2

After reading about JAAS, you should implement your login module basing on org.jboss.security.auth.spi.AbstractServerLoginModule (from org.picketbox/picketbox maven artifact). Then deploy the module with your app, and create a proper security domain and realm in WildFly's standalone.xml, like such:

<security-domain name="myDomain" cache-type="default">
  <authentication>
    <login-module code="com.example.TestLoginModule" flag="required" 
module="deployment.sample.jar"/>
  </authentication>
</security-domain>

...

<security-realm name="MyRealm">
 <authentication>
   <jaas name="myDomain"/>
 </authentication>
</security-realm>

Look out for different behaviour on different JBoss AS versions. 7.1.1 will not allow you to deploy the login module, you would have to create a separate jboss module and bind it with org.picketbox and jboss.security modules.

Additional reading: https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration

https://docs.jboss.org/author/display/WFLY8/Security+Realms

http://java.dzone.com/articles/creating-custom-login-modules (it is a little outdated, but the gives the main idea)

Autres conseils

I believe the container independent way of doing this is to use JASPIC (JSR 196). Unfortunately it doesn't appear simple, robust, or particularly well documented. Here is a reference: http://arjan-tijms.blogspot.com/2012/11/implementing-container-authentication.html.

You should research JAAS.

Wikipedia gives a good overview: http://en.m.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service

This will provide all the info and tutorials you need: http://docs.oracle.com/javase/7/docs/technotes/guides/security/

Tutorial with sample app: http://download.java.net/jdk8/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html

And check this out in SO: JAAS for human beings

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top