Nor*_*Ren 1 authentication jaas jsf-2 glassfish-3
建立:
在登录表单中键入有效的用户凭据后,我将登录并重定向到下一页.但是如果我离开那个页面并转到另一个页面,当然是在允许的url-pattern中,我得到"HTTP状态403-对所请求资源的访问被拒绝".之后我再也无法访问webapp的任何网站了.
如果我将glassfish的server-config/security中的Standard-Realm设置为我自己的领域,那么登录才有效!
我在部署时在服务器日志中收到一条警告:
Warnung: Keine Principals zugeordnet zu Rolle [USER].
(Warning: No principals mapped to role [USER])
如果我使用Chrome Debugger删除JSESSIONID,我可以再次登录.在访问一个允许的网站之后看起来会在服务器端销毁会话?!
我附上了一些相关来源.我认为它与Realm等无关,因为登录机制有效并且没有例外......
web.xml中
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbcRealm</realm-name>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>User</web-resource-name>
<url-pattern>/faces/user/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
glassfish-web-app.xml(手动添加)
<glassfish-web-app>
<security-role-mapping>
<role-name>USER</role-name>
<group-name>USER</group-name>
</security-role-mapping>
</glassfish-web-app>
login.xhtml
<h:form>
<h:outputLabel for="usernameInput">
Username:
</h:outputLabel>
<h:inputText id="usernameInput" value="#{authBackingBean.username}"
required="true" />
<br />
<h:outputLabel for="passwordInput">
Password:
</h:outputLabel>
<h:inputSecret id="passwordInput" value="#{authBackingBean.password}"
required="true" />
<br />
<h:commandButton value="Login"
action="#{authBackingBean.login}" />
AuthBackingBean
@Stateless
@Named
public class AuthBackingBean {
private String username;
private String password;
public String getUsername() {
return this.username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return this.password;
}
public void setPassword(String password) {
this.password = password;
}
public String login() {
FacesContext context = FacesContext.getCurrentInstance();
HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();
try {
request.login(this.username, this.password);
} catch (ServletException e) {
context.addMessage(null, new FacesMessage("Login failed."));
return "loginError";
}
return "user/index";
}
public void logout() {
FacesContext context = FacesContext.getCurrentInstance();
HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();
try {
request.logout();
} catch (ServletException e) {
context.addMessage(null, new FacesMessage("Logout failed."));
}
}
}
PS:我对oracle的f***ed up文档感到非常失望,因为它包含许多逻辑错误,拼写错误和复制/粘贴错误.它是非结构化的,难以阅读和过载.(对不起,但不得不说)
这很有趣,经过几个小时的测试和写这个问题,我在发布后一分钟找到了答案:
我在server-config/security中激活了"Standard-Principal auf Rollenzuordnung"(Standard-Principal to Rolemapping),现在它可以工作了.
| 归档时间: |
|
| 查看次数: |
4944 次 |
| 最近记录: |