Topic: 在web上jaas的声明性授权,出措??? |
Print this page |
1.在web上jaas的声明性授权,出措??? | Copy to clipboard |
Posted by: neweagle Posted on: 2003-08-06 11:25 jaas中授权问题??各位老大,现身拉 在web上做jaas的授权,可是老通不过,在命令下又可以,郁闷?? 策略文件如下: grant { permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "getSubject"; }; /**grant codebase "file:/D:/JBuilder8/myjbproject/JaasDemo805/classes/jaas/JaasDemo.jar"**/ grant Principal jaas.PrincipalImpl "Brad" { permission jaas.PersonnelPermission "access"; }; 主要用到类: package jaas; import java.security.*; import javax.security.auth.*; import javax.security.auth.callback.*; import javax.security.auth.login.*; // // This is the main program in the JAAS Example. It creates a Login Context, // logs the user in based on the settings in the Login Configuration file, // and calls two sensitive pieces of code, the first using programmatic // authorization, and the second using declaritive authorization. public class JAASExample { static LoginContext lc = null; public static void main( String[] args) { // // Create a login context try { lc = new LoginContext("JAASExample", new UsernamePasswordCallbackHandler()); } catch (LoginException le) { System.out.println( "Login Context Creation Error" ); System.exit(1); } // // Login try { lc.login(); } catch (LoginException le) { System.out.println( "\nOVERALL AUTHENTICATION FAILED\n" ); System.exit(1); } System.out.println( "\nOVERALL AUTHENTICATION SUCCEEDED\n" ); System.out.println( lc.getSubject() ); // // Call the sensitive PayrollAction code, which uses programmatic // authorization. try { Subject.doAs( lc.getSubject(), new PayrollAction() ); } catch (AccessControlException e) { System.out.println( "Payroll Access DENIED" ); } // // Call the sensitive PersonnelAction code, which uses declarative // authorization. try { System.out.println("start here"); Subject.doAsPrivileged( lc.getSubject(), new PersonnelAction(), null ); } catch (AccessControlException e) { System.out.println( "Personnel Access DENIED" ); } try { lc.logout(); } catch (LoginException le) { System.out.println( "Logout FAILED" ); System.exit(1); } System.exit(0); } } ×××××××××××××××PersonnelAction.java package jaas; import java.io.*; import java.security.*; // // This class is a sensitive Personnel function that demonstrates // the use of declarative authorization using the user defined // permission PersonnelPermission, which throws an exception // if it not granted public class PersonnelAction implements PrivilegedAction { public Object run() { try{ AccessController.checkPermission(new PersonnelPermission("access")); System.out.println( "Subject has Personnel access\n"); }catch(Exception e){ System.out.println("error:" +e.getMessage()); } return new Integer(0); } } ××××××××××××PersonnelPermission.java package jaas; import java.security.*; // // Implement a user defined permission for access to the personnel // code for this example public class PersonnelPermission extends BasicPermission { public PersonnelPermission(String name) { super(name); } public PersonnelPermission(String name, String action) { super(name); } } 系统报错为: error:access denied (jaas.PersonnelPermission access) 请指教阿,各位老大??????? |
2.Re:在web上jaas的声明性授权,出措??? [Re: neweagle] | Copy to clipboard |
Posted by: menzy Posted on: 2003-08-06 16:02 policy 文件的问题? 加上codebase试试看 |
3.Re:在web上jaas的声明性授权,出措??? [Re: neweagle] | Copy to clipboard |
Posted by: neweagle Posted on: 2003-08-06 16:12 加上了codebase 如: 有包名的jaas.policy grant { permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "getSubject"; }; grant codebase "file:/D:/JBuilder8/myjbproject/jaasSample/classes/jaas/jaasSample.jar", Principal jaas.PrincipalImpl "larrye" { permission jaas.PersonnelPermission "access"; }; 没有包名的jaas.policy: grant { permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "getSubject"; }; grant Principal PrincipalImpl "Brad" { permission PersonnelPermission "access"; }; 我在命令下运行的是没有包名jaas的,是可以找到能授权成功,但是我用jdk1.4下面的工具policytool.exe查看这个没有包名的策略文件,提示警告:找不到PrimcipalImpl,PersonnelPermission这两个类,奇怪??? 但我在jbuilder下面生成测试后,加了个包名jaas,验证可以,程序性授权成功,就是声明性授权不成功。 谢谢回复,谢谢 |
4.Re:在web上jaas的声明性授权,出措??? [Re: neweagle] | Copy to clipboard |
Posted by: jprobe Posted on: 2003-08-27 18:49 太多了,没有细看。 在WEB上,需要修改服务器的配置文件啊。如JBOSS里有一个login-config.xml专门用来设置jaas配置。我在项目中也成功设置了。 另外,请问,什么叫程序性授权,什么叫声明性授权? |
5.Re:在web上jaas的声明性授权,出措??? [Re: neweagle] | Copy to clipboard |
Posted by: jsmile Posted on: 2003-08-27 22:26 Declarative authorization can be performed by a system administrator, who configures the system's access (that is, declares who can access which applications in the system). With declarative authorization, user access privileges can be added, changed, or revoked without affecting the underlying application code. Programmatic authorization uses Java application code to make authorization decisions. Programmatic authorization is necessary when authorization decisions require more complex logic and decisions, which are beyond the capabilities of declarative authorization. Since programmatic authorization is built into the application code, making programmatic authorization changes requires that some part of the application code be rewritten. |
6.Re:在web上jaas的声明性授权,出措??? [Re: neweagle] | Copy to clipboard |
Posted by: richardluopeng Posted on: 2003-08-28 19:50 程序性授权,什么叫声明性授权? 一个是硬编码,一个是申明 |
7.Re:在web上jaas的声明性授权,出措??? [Re: neweagle] | Copy to clipboard |
Posted by: floater Posted on: 2003-08-29 11:41 where is your command line jdk? jbuilder is using jdk under its own dir. |
8.Re:在web上jaas的声明性授权,出措??? [Re: neweagle] | Copy to clipboard |
Posted by: jsmile Posted on: 2003-08-29 22:30 Assume you already know how LoginModule, CallbackHandler and Permission works (Authentication). Here's the different code of two authorization types: Declarative authorization: class SomelAction implements PrivilegedAction { public Object run() { AccessController.checkPermission(new SomeDefinedPermission("xxx")); // Perform tasks return new Integer(0); } } Programmatic authorization: class SomeAction implements PrivilegedAction { public Object run() { AccessControlContext context = AccessController.getContext(); Subject subject = Subject.getSubject( context ); Set principals = subject.getPrincipals(); Iterator iterator = principals.iterator(); while (iterator.hasNext()) { MyPrincipal principal = (MyPrincipal)iterator.next(); if (principal.getName().equals( "Some Pre-Defined Role")) { // Perform tasks return new Integer(0); } } throw new AccessControlException("Denied"); } } |
9.Re:在web上jaas的声明性授权,出措??? [Re: neweagle] | Copy to clipboard |
Posted by: jeez Posted on: 2003-09-01 17:36 web下面用绝对路径是不行的;其次是policy要设在你运行的jdk下面,可以用policyTool查看。 |
10.Re:在web上jaas的声明性授权,出措??? [Re: neweagle] | Copy to clipboard |
Posted by: BlurEyes Posted on: 2003-09-01 20:48 看了一下,没看到auth.conf文件,只看到了policy文件。 请问JAASExample这个jaas Configuration在哪里定义的?(一般直接从javax.security.auth.login.Configuration继承,或者定义在auth.conf文件中。用来指定jaas的loginmodule)。 另外UsernamePasswordCallbackHandler的构造函数会一般会传人一个username,一个password。 没看到loginmodule的代码,不太好看出问题。 |
11.Re:在web上jaas的声明性授权,出措??? [Re: neweagle] | Copy to clipboard |
Posted by: neweagle Posted on: 2003-09-01 21:18 有两个configuration文件:jaas.policy和login.config 这两个文件我都是放在源码同级目录下面的,只是在jdk里面java.sercurity指定了这两个文件的位置 请问jeez : jaas.policy一定要放在jdk里面吗?里面指定位置不行吗 而且在web上声明授权是不是必须用相对路径才行?? 谢谢关注 最近好忙 又停了一段时间jaas 多交流 |
12.Re:在web上jaas的声明性授权,出措??? [Re: neweagle] | Copy to clipboard |
Posted by: jeez Posted on: 2003-09-02 10:44 web上是要用相对路径的。jaas的policy不必要和JDK在一起,只要配置的时候能找到就行了。 我以前用过jaas,但这部分代码是抄过来的,tomcat或是JBoss的源码中有,配置文件的相对路径可以通过servlet的参数传给servlet,然后在servlet中自己获得配置文件,然后做安全的配置,但具体步骤我不太清楚了,很抱歉你得自己查些资料了。 |
Powered by Jute Powerful Forum® Version Jute 1.5.6 Ent Copyright © 2002-2021 Cjsdn Team. All Righits Reserved. 闽ICP备05005120号-1 客服电话 18559299278 客服信箱 714923@qq.com 客服QQ 714923 |