Jaas 需要一个 Java 策略,我不知道如何提供它
我正在尝试使用 Jaas、Java 身份验证和 Autorisation 服务。 服务器是 App Engine,因此无法编辑web.xml。 我使用的 servlet 过滤器如下:
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
try {
LoginContext lc = new LoginContext("JaasSample", new AuthenticationCallbackHandler());
lc.login();
chain.doFilter(request, response);
lc.logout();
} catch (LoginException e) { /* lc.login() fails */}
}
对 LoginContext 的调用检查策略并抛出以下异常:
java.security.AccessControlException:
access denied (javax.security.auth.AuthPermission createLoginContext.JaasSample)
我使用的代码来自 Oracle 参考。 他们解释说,在存在安全管理器的情况下,有必要以这种方式授予一些权限:
grant {
permission javax.security.auth.AuthPermission "createLoginContext.JaasSample";
}
我只是不明白为什么要在 JAR 中进行此操作。
我可以在运行配置中使用 -D--enable_all_permissions=true 绕过此检查。 (但这需要在产品中解决)然后,在 System.getProperty("user.home")/.java.login.config 中搜索 Jaas 配置文件。难道它不是在项目资源中吗?这如何在本地/生产中发挥作用?
配置文件如下:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required;
};
非常感谢。
附注Spring Security 可以与 Jaas 一起使用,并在 App Engine 上运行。 pps。无法使用 Spring Security,因为它启动 Spring 上下文,这会减慢 App Engine 的启动速度。并且这个环境下的启动是一直进行的。
I'm trying to use Jaas, Java Authentication and Autorisation service.
The server is App Engine so, it is impossible to edit web.xml.
I'm using a servlet filter like:
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
try {
LoginContext lc = new LoginContext("JaasSample", new AuthenticationCallbackHandler());
lc.login();
chain.doFilter(request, response);
lc.logout();
} catch (LoginException e) { /* lc.login() fails */}
}
The call to LoginContext checks a policy and throws the following exception:
java.security.AccessControlException:
access denied (javax.security.auth.AuthPermission createLoginContext.JaasSample)
The code I'm using is from Oracle reference.
They explain that in presence of a Security Manager, it is necessary to grant some rights in this fashion:
grant {
permission javax.security.auth.AuthPermission "createLoginContext.JaasSample";
}
I just don't understand why this as to be made in a JAR.
I can bypass this check with -D--enable_all_permissions=true in the Run Configuration. (But this as to be resolved to go in prod) and then, Jaas configuration file is searched at System.getProperty("user.home")/.java.login.config. Don't it rather be in the projects resources? How this can works in local / in production?
The configuration file is like:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required;
};
Thanks so much.
ps. Spring Security can be use with Jaas and works on App Engine.
pps. Spring Security can not be used because it starts Spring context which slow down App Engine startup. And the startup in this environment is done all the time.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
使用 $JAVA_HOME/bin 目录中的策略工具来授予权限。
Use policytool from your $JAVA_HOME/bin directory to grant permission.
该问题仅存在于 App Engine 开发模式中;一旦交付,就没有这样的例外。
因此,在运行配置中使用
-D--enable_all_permissions=true就足够了。The problem solely exists in App Engine Dev Mode ; once delivered their is no such Exception.
So, using
-D--enable_all_permissions=truein Run Configuration is enough.