问题描述
我想知道如何结合这两个身份验证步骤:
- 检查 LDAP 中的用户/密码
- 将在数据库中找到的主体(角色)添加到主题.
LDAP 用户存储库不知道特定于应用程序的角色,我不想管理应用程序数据库中的密码.所以我两个都需要.
JAAS 配置文件允许有额外的 LoginModules :
<应用程序用于引用此条目的名称>{<登录模块><标志><登录模块选项>;<可选的附加登录模块、标志和选项>;};
但我找不到解释我的工作方式的示例.
这是好方法吗?
谢谢
==========================================
这是我的答案:
确实,我们可以拥有额外的 LoginModules.JAAS 配置文件是:
示例{com.sun.security.auth.module.LdapLoginModule 必需userProvider="ldap://acme.org:389/OU=Users,OU=_ACME,DC=acmegis,DC=acme,DC=org"authIdentity="{USERNAME}"userFilter="(userPrincipalName={USERNAME})"商店通行证=真sample.module.SampleLoginModule 需要 debug=true;};
这里有两个 LoginModule:
检查用户/密码的 Sun 的 LdapLoginModule,和我的 sample.module.SampleLoginModule 查询我的数据库并填充主体.重要的参数是 storePass=true,它要求 LdapLoginModule 将用户名和密码存储在模块的共享状态中.(参见 http://docs.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html).p>
所以接下来的 LoginModules 可以在 sharedState Map 参数中获取传递给 initialize 方法的用户名.他们在 login() 中应该没有任何关系,并且在 DB 中填写 Principales 的查询是在 commit() 中完成的(就像 Shimi Bandiel 所说的那样).
我还没有使用它,但是有一个由 **oss 开发的 DatabaseServerLoginModule(参见 http://community.**oss.org/wiki/DatabaseServerLoginModule),支持身份验证和角色映射.与 password-stacking=useFirstPass 一起使用,我们应该无需编写任何行代码(但需要一个漂亮的 JAAS 配置文件)就可以满足我的需求.
B.R.
你应该实现一个 LoginModule 在 login 方法中你访问 LDAP 并检查用户名/密码并在 commit 方法中访问数据库并填写主体.
这里不需要使用多个LoginModule
I'd like to know how to combine these two authentication steps :
- check the user/password in an LDAP
- add principals (roles) found in a DB to the subject.
The LDAP user repository have no idea about application-specific roles and I don't want to manage the passwords in the application DB. So I need both.
JAAS configuration file allows to have additional LoginModules :
<name used by application to refer to this entry> { <LoginModule> <flag> <LoginModule options>; <optional additional LoginModules, flags and options>; };
but I can't find example that explains how I works.
Is it the good method ?
Thanks
=========================================
Here is my answer :
Indeed we can have additional LoginModules. The JAAS configuration file is :
Sample { com.sun.security.auth.module.LdapLoginModule Requisite userProvider="ldap://acme.org:389/OU=Users,OU=_ACME,DC=acmegis,DC=acme,DC=org" authIdentity="{USERNAME}" userFilter="(userPrincipalName={USERNAME})" storePass=true sample.module.SampleLoginModule required debug=true; };
Here we have two LoginModules :
The Sun's LdapLoginModule that checks user/password, and mine sample.module.SampleLoginModule that query my db and fills the principals. The important parameter is storePass=true that asks the LdapLoginModule to store the username and password in the module's shared state. (see http://docs.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html).
So the next LoginModules can get the username passed to the initialize method in the sharedState Map argument. They should have nothing to do in login() and the query in DB to fill the Principales is done in commit() (like Shimi Bandiel said).
I don't use it yet but there is a DatabaseServerLoginModule developed by **oss (see http://community.**oss.org/wiki/DatabaseServerLoginModule) that supports authentication and role mapping. Used with password-stacking=useFirstPass we should have the answer to my need without write any line-code (but a beautiful JAAS configuration file).
B.R.
You should implement a LoginModule which in the login method you access the LDAP and check username/password and in the commit method you access the DB and fill the principals.
There is no need here to use multiple LoginModule