- 浏览: 96589 次
- 性别:
- 来自: 上海
文章分类
- 全部博客 (61)
- Hibernate (5)
- WebService (6)
- Python (13)
- ExtJs (0)
- Java (20)
- SMB (1)
- Game (1)
- Java Advanced Image (1)
- CMD (4)
- Oracle (2)
- Windows (2)
- Linux (1)
- Forums (1)
- Struts (2)
- Internationalization (1)
- NTLM (1)
- HttpClient (1)
- Http (1)
- Form (1)
- Tomcat (2)
- Log4j (1)
- Eclipse (1)
- ant (1)
- soap (0)
- SSL (2)
- security (2)
- permission (1)
- 面试 (0)
- authentication (1)
- Spring (0)
- ioc (0)
- javascript (1)
- license (0)
- web (0)
- Maven (0)
- website (0)
- tool (0)
- git (1)
- Thread (2)
- 软件工程 (0)
- mongodb (1)
最新评论
-
howgoo:
OpenSystemArchitect 中文乱码。
免费的数据库建模工具 -
tojaoomy:
如果需要输出时不换行,在最后加上逗号即可。比如print 'H ...
Python静态属性,静态方法 -
tojaoomy:
http://www.oracle.com/technetwo ...
丢失更新 -
tojaoomy:
teasp 写道tojaoomy 写道teasp 写道toja ...
synchronized (this) 柳暗花明又一村 -
teasp:
tojaoomy 写道teasp 写道tojaoomy 写道t ...
synchronized (this) 柳暗花明又一村
The Java Authentication and Authorization Service (JAAS) is a part of Java SE 1.4 and beyond. The "authentication" part is concerned with ascertaining the identity of a program user. The "authorization" part maps users to permissions.
JAAS is a "pluggable" API that isolates Java applications from the particular technology used to implement authentication. It supports, among others, UNIX logins, NT logins, Kerberos authentication, and certificate-based authentication.
Once a user has been authenticated, you can attach a set of permissions. For example, here we grant Harry a particular set of permissions that other users do not have:
grant principal com.sun.security.auth.UnixPrincipal "hejian" { permission java.util.PropertyPermission "user.*", "read"; . . . };
The com.sun.security.auth.UnixPrincipal class checks the name of the UNIX user who is running this program,Its getName method returns the UNIX login name,and we check whether that name equals "hejian".You use a LoginContext to allow the security manageer to check such a grant statement.Here is the basic outline of the login code:
try { System.setSecurityManager(new SecurityManager()); LoginContext context = new LoginContext("Login1"); // defined in JAAS configuration file context.login(); // get the authenticated Subject Subject subject = context.getSubject(); . . . context.logout(); } catch (LoginException exception) // thrown if login was not successful { exception.printStackTrace(); }
Now the subject denotes the individual who has been authenticated.
The string parameter "Login1" in the LoginContext constructor refers to an entry with the same name in the JAAS configuration file.Here is a sample configuration file:
Login1 { com.sun.security.auth.module.UnixLoginModule required; com.whizzbang.auth.module.RetinaScanModule sufficient; }; Login2 { . . . };
Of course,the JDK contains no biometric login modules.The following modules are supplied in the
com.sun.security.auth.module package:
UnixLoginModule NTLoginModule Krb5LoginModule JndiLoginModule KeyStoreLoginModule
A login policy consists of a sequence of login modules,each of which is labeled required,sufficient,requisite,or optional.The meaning of these keywords is given by the following algorithm:
1.The modules are executed in turn,until a sufficient module succeeds,a requisite module fail,or the end of the module list is reached.
2. Authentication is successful if all required and requisite modules succeed,or if none of them were executed,if at least one sufficient or optional module succeeds.
A login authenticates a subject,which can have multiple principals. A principal describes some property of subject,such as the user name,group ID,or role,As you saw in the grant
statement,principals govern permissions,The com.sun.security.auth.UnixPrincipal describes the UNIX login name,and the unixNumericGroupPrincipal can test for membership in a UNIX group.
A grant clause can test for a principal,with the syntax
grant principalClass "principalName"
For example :
grant com.sun.security.auth.unixPrincipal "hejian"
When a user has logged in,you then run,in a seperate access control context,the code that requires checking of principals.use the static doAs or doAsPrivileged method to start a new PrivilegedAction whose run method executes the code.
PrivilegedAction<T> action = new PrivilegedAction() { public T run() { // run with permissions of subject principals . . . } }; T result = Subject.doAs(subject, action); // or Subject.doAsPrivileged(subject, action, null)
If the actions can throw checked exceptions,then you implement the PrivilegedExceptionAction interface instead.
The difference between the doAs and doAsPrivileged method is subtle.The doAs method starts out with the current access control context,whereas the doAsPrivileged method starts out with a new context.
The latter method allows you to separate the permissions for the login code and the "business logic."In our example application,the login code has permissions
permission javax.security.auth.AuthPermission "createLoginContext.Login1"; permission javax.security.auth.AuthPermission "doAsPrivileged";
The authenticated user has a permission
permission java.util.PropertyPermission "user.*", "read";
If we had used doAs instead of doAsPrivileged,then the login code would have also needed that permission!
The AuthenticateTest program should now display the value of the user.home property.However,if you change the login name in the auth.policy file,then a security exception should be thrown because you no longer have the required permission.
Caution!
Be careful to follow these instructions exactly.It is very easy to get the setup wrong by making seemingly innocuous changes.
Code View:
package com.tojaoomy.security; import java.security.PrivilegedAction; import javax.security.auth.Subject; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; public class AuthenticateTest { public static void auth(){ System.setProperty("java.security.policy", "security/auth.policy"); System.setProperty("java.security.auth.login.config", "security/jaas.config"); System.setSecurityManager(new SecurityManager()); // System.out.println(System.getProperty("user.dir")); try { LoginContext context = new LoginContext("Login1"); context.login(); System.out.println("Authentication successful"); Subject subject = context.getSubject(); System.out.println("Subject : " + subject); PrivilegedAction<String> action = new SysPropAction("user.home"); String result = Subject.doAsPrivileged(subject, action, null); // String result = Subject.doAs(subject, action ); System.out.println(result); context.logout(); } catch (LoginException e) { e.printStackTrace(); } } /** * @param args */ public static void main(String[] args) { // TODO Auto-generated method stub auth(); } }
package com.tojaoomy.security; import java.security.PrivilegedAction; public class SysPropAction implements PrivilegedAction<String> { private String propertyName; public SysPropAction(String propertyName) { this.propertyName = propertyName; } @Override public String run() { return System.getProperty(propertyName); } }
grant { permission javax.security.auth.AuthPermission "createLoginContext.Login1"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "doAs"; }; grant principal com.sun.security.auth.NTUserPrincipal "hejian" principal com.sun.security.auth.NTDomainPrincipal "DOMRST" { permission java.util.PropertyPermission "user.*", "read"; };
Login1 { com.sun.security.auth.module.NTLoginModule required; };
Because my computer environment is window7,so you should use the NT Prefix,else yours is Unix,
the Unix prefix is instead.
Here is my test result:
Authentication successful
Subject : Subject:
Principal: NTUserPrincipal: hejian
Principal: NTSidUserPrincipal: S-1-5-21-3707767768-4261598023-2969272642-9184
Principal: NTDomainPrincipal: DOMRST
Principal: NTSidDomainPrincipal: S-1-5-21-3707767768-4261598023-2969272642
Principal: NTSidPrimaryGroupPrincipal: S-1-5-21-3707767768-4261598023-2969272642-513
Principal: NTSidGroupPrincipal: S-1-1-0
Principal: NTSidGroupPrincipal: S-1-5-32-544
Principal: NTSidGroupPrincipal: S-1-5-32-545
Principal: NTSidGroupPrincipal: S-1-5-4
Principal: NTSidGroupPrincipal: S-1-2-1
Principal: NTSidGroupPrincipal: S-1-5-11
Principal: NTSidGroupPrincipal: S-1-5-15
Principal: NTSidGroupPrincipal: S-1-5-5-0-265371
Principal: NTSidGroupPrincipal: S-1-2-0
Principal: NTSidGroupPrincipal: S-1-5-21-3707767768-4261598023-2969272642-1144
Principal: NTSidGroupPrincipal: S-1-5-21-3707767768-4261598023-2969272642-9236
Principal: NTSidGroupPrincipal: S-1-16-12288
Public Credential: NTNumericCredential: 712
C:\Users\hejian.DOMRST
发表评论
-
Filter,Servlet,Conponent如何获取ApplicationContext
2014-08-04 18:35 1247Filter 获取Context 在init()方法获取S ... -
synchronized (this) 柳暗花明又一村
2013-05-17 16:23 1548今天写一个测试类,主要是测试wait(long timeo ... -
同一个线程synchronized方法调用synchronized方法
2013-02-21 16:28 975一个线程里面有两个synchronized方法a(),b( ... -
Java开源工具:网站开发工具清单
2012-07-23 14:07 0【IT168 技术】美国程序员Jon Sco ... -
Maven construct Maven Project
2012-07-17 17:36 0<project xmlns="http ... -
开源中最好的Web开发的资源
2012-06-20 09:52 0文章来源:Best “must know” open sour ... -
SimulateSpringIOC
2012-05-20 15:05 0Code View: package jp.co.ri ... -
Java SSL
2012-05-14 16:40 1126一直调查SSL的问题,毫无进展,头疼,先把手头搞定的资料整理 ... -
Security Managers and Permissions
2012-05-11 17:44 997Once a class has been loaded in ... -
[转]Web Services Over SSL - HOW TO
2012-05-07 15:31 928一篇好文章,原文地址:http://www.pankaj- ... -
Java Use the keyword goto
2012-05-07 14:53 0Today,I am unconsciously found ... -
HttpClient Access to HTML Form
2012-03-19 17:27 978Sample Html Form Code: <s:f ... -
Top 10 Java Developer Forums
2012-03-08 15:46 1127Developers get into tricky situ ... -
介绍2款好用的工具
2012-03-05 19:19 867在公司有2款好用的工具,分享一下: 1,多语言环境下运行程序 ... -
发几个收藏的Java游戏
2012-02-29 13:47 645JavaMine.jar 扫雷 jdiamonds. ... -
How Java access to shared folder
2012-02-27 20:23 1124import java.io.IOException; im ... -
Axis2 integrate with tomcat occur "unsupport" error
2012-02-27 14:42 1872Creating a Dynamic web project ... -
PD(PowerDesigner) 导出的sql中去掉双引号
2012-02-20 23:21 0http://user.qzone.qq.com/714719 ... -
JAEE5.0工程JSTL不能正常使用解决办法
2012-02-21 18:21 932在Tomcat的安装路径下:apache-tomcat-7.0 ... -
通过六个题目彻底掌握String笔试面试题
2012-02-21 18:22 7391 public static void main( ...
相关推荐
"NR网络拒绝码-5gsm_cause = 29 (0x1d) (User authentication failed)"是其中一个特定的错误,表示UE的鉴权或授权失败。本文将深入探讨此问题的原因、3GPP协议中的相关规定以及UE如何应对这种情况。 1. 问题描述: ...
### processMaker中的External User Authentication #### 一、配置Authentication Sources 在ProcessMaker中实现外部用户认证功能,首先需要配置Authentication Sources。这一配置步骤是确保能够与外部认证系统...
User authentication failed(解决方案).md
管理系统系列--User Authentication System Based MVC, BootStrap3,
Pass user name and password Send user name and password User name and password are not encryption Server Check the user name and password Receive user name and password Find name and ...
const user = await User.findOne({ username }); if (!user || !(await user.comparePassword(password))) { return res.status(401).json({ message: 'Invalid credentials' }); } // 生成JWT令牌 const ...
标题中的"Perl JavaScript MD5 User Authentication-开源"指的是一个开源项目,它结合了Perl和JavaScript技术,使用MD5哈希算法来实现用户身份验证。这个系统设计得非常安全,因为密码在任何阶段都不会以明文形式...
标题中提到的关键词是“remote user authentication scheme with key agreement”,这涉及到计算机网络安全领域的远程用户认证以及密钥协商机制。这表明文章讨论的内容是关于如何在远程系统中安全地验证用户的身份,...
标题中的“userauthentication”指的是用户身份验证,这是网络应用中一个关键的安全机制。Sartain Studios显然在其应用程序中实施了这一功能,确保只有经过验证的用户才能访问其服务。这通常涉及登录过程,通过...
我们一般使用PuTTY等SSH客户端来远程管理 Linux 服务器。...暴力破解的问题。...录。...密钥方式登录。 密钥形式 登录的原理是:利用密钥生成器制作一对密钥;(公钥文件和私钥文件)。将公钥添加到服务器的 ...
In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the ...
The design of secure remote user authentication schemes based on elliptic curve crypto-graphy (ECC) for mobile applications is still quite a challenging problem, though many schemes have been ...
Proceed step-by-step through five progressively more complex web applications: from a "Hello World" app all the way to a robust Newspaper app with a custom user model, complete user authentication ...
将模块davestone.userAuthentication作为依赖项添加到您的应用程序模块: angular . module ( 'myApp' , [ 'davestone.userAuthentication' ] ) ; 并配置提供程序。 这是一个示例,并附有注释说明: . config
【GBase8s SQL常用SQL语句——USER Authentication子句详解】 在GBase8s数据库管理系统中,USER Authentication子句是用于验证应用程序访问远程数据库服务器权限的关键部分。它确保只有授权的用户才能连接并进行...