我正在尝试使用JAAS安装自定义身份验证(在应用程序中需要)。 我的standalone.xml看起来像
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="com.app.user.extendedSec.ExtendedLdapExtLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://app.user.in:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="principalDNPrefix" value="cn="/>
<module-option name="principalDNSuffix" value=",OU=Test,DC=ads,DC=exilant,DC=in"/>
<module-option name="rolesCtxDN" value="OU=Test,DC=ads,DC=exilant,DC=in"/>
<module-option name="uidAttributeID" value="member"/>
<module-option name="matchOnUserDN" value="false"/>
<module-option name="roleAttributeID" value="sAMAccountName"/>
<module-option name="roleAttributeIsDN" value="true"/>
</login-module>
<login-module code="com.app.user.extendedSec.ExtendedUsernamePasswordLoginModule" flag="required">
<module-option name="unauthenticatedIdentity" value="guest"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="dsJndiName" value="java:/session-tracking-dataSource-orcl"/>
<module-option name="principalsQuery" value="SELECT PASSWORD FROM FUSION_USERS WHERE USERID=? AND LOCKFLAG='false' and (upper(active_ind) != 'N' or active_ind is null)"/>
<module-option name="rolesQuery" value="SELECT USERTYPE, 'Roles' FROM FUSION_USER_GROUPS WHERE USERID=?"/>
</login-module>
当使用数据库进行身份验证和授权时,它运行正常。但是无法使用ldap服务器进行身份验证/授权
public class ExtendedLdapExtLoginModule extends LdapLoginModule {
private static Logger _logger=Logger.getLogger(ExtendedLdapExtLoginModule.class.getClass());
/**
* @param inputPassword: encrypted password from request; expectedPassword: password from active directive
* @return passed to the super class. True for success, false for failure.
*/
@Override
protected boolean validatePassword(String inputPassword, String expectedPassword) {
_logger.debug("ExtendedLdapExtLoginModule: Input encrypted: " + inputPassword);
_logger.debug("ExtendedLdapExtLoginModule: Input decrypted: " + PasswordCodec.getDecryptedPassword(inputPassword));
_logger.debug("ExtendedLdapExtLoginModule: Expected: " +expectedPassword);
// Decrypt the password before pass it for comparison
return super.validatePassword(PasswordCodec.getDecryptedPassword(inputPassword), expectedPassword);
}
}
正确地在服务器端解密密码。
我在这里错过了什么吗?
由于
答案 0 :(得分:0)
假设您正在扩展org.jboss.security.auth.spi.LdapLoginModule
,则不应覆盖validatePassword()
,因为它已尝试对LDAP服务器执行绑定操作。
从JBoss docs的源代码和评论来看,你可以使用vanilla LdapLoginModule#validatePassword()
,它会尝试登录而不是密码检索。
具体来说,JBoss源代码中的这些评论澄清了这一点:
/** Overriden to return an empty password string as typically one cannot
obtain a user's password. We also override the validatePassword so
this is ok.
@return and empty password String
*/
protected String getUsersPassword() throws LoginException
{
return "";
}
/** Validate the inputPassword by creating a ldap InitialContext with the
SECURITY_CREDENTIALS set to the password.
@param inputPassword the password to validate.
@param expectedPassword ignored
*/
protected boolean validatePassword(String inputPassword, String expectedPassword)