java JavaEE 6 中的 JAAS 配置和 LDAP 登录模块
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15156046/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
JAAS configuration and LDAP login module in JavaEE 6
提问by Oleg
I'm writing a question here because I haven't been able to find the solution myself for months. My situation: I have a client-server application written on java which uses Java2ee 6 and EJB3.0. The server side is deployed on the glassfish 3.0. I need to develop/implement the login module for application. Authentification must be done using ldap server and authorisation will be handled inside application. Therefore I want to hire JAAS technology to mix authentification and authorisation. I'm doing it for example like here. Then I follow this tutorialand official documentationto perform login. My problem is that ldap login doesn't work.
我在这里写一个问题是因为我自己已经几个月没有找到解决方案了。我的情况:我有一个用 Java 编写的客户端 - 服务器应用程序,它使用 Java2ee 6 和 EJB3.0。服务器端部署在glassfish 3.0上。我需要开发/实现应用程序的登录模块。身份验证必须使用 ldap 服务器完成,授权将在应用程序内部处理。因此我想使用JAAS技术来混合认证和授权。我正在这样做,例如像这里。然后我按照本教程和官方文档进行登录。我的问题是 ldap 登录不起作用。
My code:
我的代码:
LoginContext lc = null;
try {
CallbackHandler handler = new CallbackHandler() {
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
for( int i = 0; i < callbacks.length; i++ ) {
if( callbacks[i] instanceof NameCallback ) {
// prompt the user for a username
NameCallback nc = (NameCallback)callbacks[i];
nc.setName("admin");
System.out.println("Login done.");
} else if( callbacks[i] instanceof PasswordCallback ) {
// prompt the user for sensitive information
PasswordCallback pc = (PasswordCallback)callbacks[i];
pc.setPassword("mypassword".toCharArray());
System.out.println("Password done.");
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
} //end if/else
} //end for()
}
};
lc = new LoginContext("myAuth", handler);
lc.login();
Subject subject = lc.getSubject();
} catch (LoginException e) {
e.printStackTrace();
}
My JAAS configuration file:
我的 JAAS 配置文件:
myAuth {
com.sun.enterprise.security.auth.login.LDAPLoginModule REQUIRED
userProvider="ldap://mydomain:389/OU=users,DC=my,DC=domain,DC=com"
authIdentity="{USERNAME}"
useSSL=false
debug=true;
};
The client part of application is run with the following jvm options:
应用程序的客户端部分使用以下 jvm 选项运行:
-Djava.security.auth.login.config=./jaas.conf -Dorg.omg.CORBA.ORBInitialHost=localhost
On the glassfish site I set the jvm properties
在 glassfish 站点上,我设置了 jvm 属性
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Djava.naming.referral=follow
The login.conf file on the glassfish side contains the following lines (ADRealm is the default realm of my glassfish)
glassfish端的login.conf文件包含以下几行(ADRealm是我glassfish的默认realm)
ADRealm {
com.sun.enterprise.security.auth.login.LDAPLoginModule REQUIRED;
};
Settings for ADRealm:
ADRealm 的设置:
<property name="jaas-context" value="ldapRealm" />
<property name="base-dn" value="CN=users,DC=my,DC=domain,DC=com" />
<property name="directory" value="ldap://mydomain:3268" />
<property name="search-bind-password" value="mypassword" />
<property name="search-bind-dn" value="[email protected]" />
I want to stress your attention that I'm trying to perform ldap login at least to be sure that it works.
我想强调您的注意,我正在尝试执行 ldap 登录,至少以确保它有效。
When I run the client I get the following error:
当我运行客户端时,出现以下错误:
Mar 1, 2013 1:36:44 PM com.sun.appserv.security.AppservPasswordLoginModule extractCredentials
SEVERE: passwordlm.nopwdcred
javax.security.auth.login.LoginException: No credentials.
What is strange that is worked once(!), i.e. I could obtain subjectfrom lc.getSubject()method. Also I assume that handle()method above is not invoked since I don't see
有什么奇怪的工作一次(!),即我可以subject从lc.getSubject()方法中获得。另外我假设handle()上面的方法没有被调用,因为我没有看到
Login done.
Password done.
in the output.
在输出中。
Please could anybody help me???
请问有人可以帮我吗???
采纳答案by Giorgio Desideri
1st - On LDAP you don't use an admin user, but create another user with necessary criteria to search and/or bind if necessary. An admin user isn't secure and not recommended, especially in a Java EE context.
第一 - 在 LDAP 上,您不使用管理员用户,而是创建另一个具有必要条件的用户,以便在必要时进行搜索和/或绑定。管理员用户不安全,不推荐使用,尤其是在 Java EE 上下文中。
2nd - What kind of LDAP server do you try to connect to? OpenLDAP or an Exchange server?
2nd - 您尝试连接哪种 LDAP 服务器?OpenLDAP 还是 Exchange 服务器?
I'm referring you to these links, while waiting for your response:
我正在向您推荐这些链接,同时等待您的回复:
