一 什么是JAAS
Java 认证和授权服务”(Java Authentication and Authorization Service,JAAS)是对 Java 2 SDK 的扩展。
JAAS 可分Authentication和Authorization 。
1) Authentication:认证用户身份。看哪个用户在执行代码。通俗的来说就是哪个用户在执行操作。这个操作可能在某个application或bean或servlet上.
2) Authorization : 授权用户操作。也就是验证用户是否对指定资源有特定访问权限。好比某一用户是否有对指定文件的读取权限。
二 常用接口
CallbackHandler:用去用户信息,用于验证用户身份。
LoginModule:用于验证用户信息。
三 简单Demo
MyCallbackHandler.java
package authentication;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
public class MyCallbackHandler implements CallbackHandler {
@Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for(Callback callback:callbacks){
if(callback instanceof NameCallback){
NameCallback nameCallback=(NameCallback)callback;
String prompt=nameCallback.getPrompt();
System.err.print(prompt);
nameCallback.setName(new BufferedReader(new InputStreamReader(System.in)).readLine());
}
if(callback instanceof PasswordCallback){
PasswordCallback passwordCallback=(PasswordCallback)callback;
String prompt=passwordCallback.getPrompt();
System.err.print(prompt);
passwordCallback.setPassword(new BufferedReader(new InputStreamReader(System.in)).readLine().toCharArray());
}
}
}
}
SampleLoginModule.java
package authentication;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
public class SampleLoginModule implements LoginModule {
// initial state
private Subject subject;
private CallbackHandler callbackHandler;
private Map sharedState;
private Map options;
// configurable option
private boolean debug = false;
// username and password
private String username;
private char[] password;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
this.options = options;
// initialize any configured options
debug = "true".equalsIgnoreCase((String)options.get("debug"));
}
public boolean login() throws LoginException {
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("user name: ");
callbacks[1] = new PasswordCallback("password: ", false);
try {
callbackHandler.handle(callbacks);
} catch (Exception e) {
throw new RuntimeException(e);
}
username = ((NameCallback)callbacks[0]).getName();
password = ((PasswordCallback)callbacks[1]).getPassword();
if("admin".equals(username)&&"admin".equals(new String(password))){
return true;
}
return false;
}
public boolean commit() throws LoginException {
System.out.println(" =========== commit ==========");
return true;
}
public boolean abort() throws LoginException {
System.out.println(" =========== abort ==========");
return true;
}
@Override
public boolean logout() throws LoginException {
System.out.println(" =========== logout ==========");
return true;
}
}
SampleAcn.java
package authentication;
import javax.security.auth.login.LoginContext;
public class SampleAcn {
public static void main(String[] args) throws Exception {
LoginContext lc = new LoginContext("sample",new MyCallbackHandler());
lc.login();
}
}
sample_jaas.config
sample { authentication.SampleLoginModule required debug=true; };
要设置的系统参数 -Djava.security.auth.login.config==src/authentication/sample_jaas.config
Demo认证执行流程:
LoginContext lc = new LoginContext("sample",new MyCallbackHandler());
构造LoginContext
lc.login();
执行认证。因为系统参数设置
-Djava.security.auth.login.config==src/authentication/sample_jaas.config
所以认证配置文件是sample_jaas.config。因为构造LoginContext的时候传入的第一个参数是"sample".
所以在sample_jaas.config中查找名为sample的配置段。及
sample { authentication.SampleLoginModule required debug=true; };
authentication.SampleLoginModule为指定的LoginModule实现。
因为构造LoginContext的时候传入的第二个参数是new MyCallbackHandler。所以MyCallbackHandler用于获取用户认证信息。
所以:在执行lc.login()时,会调用SampleLoginModule的login方法。而SampleLoginModule会通过MyCallbackHandler获取用户的认证信息。如果认证成功则返回true,否则返回false.