基于JAAS的用户验证和控制模型的一般设计.doc

基于 JAAS 的用户验证和控制模型的一般设计

客户端通过 a LoginContext 对象与 JAAS 交互, 该对象提供一个方法来开发与下层认证

无关的应用. LoginContext 类,是 javax.security.auth.login 包的一部分, 描述用

于认证对象的方法. A subject 是在一个系统内的你想认证和分配访问权限的对象的标识。A

subject 可以是一个用户、或一个机器并用 javax.security.auth.Subject 类表示.

因为一个实体（subject）也许回与多个授权交互 authorities (一个口令用于在线银行而另一

个用于电子邮件系统), a java.security.Principal is used to represent the identity in

those interactions. In other words, the Principal interface is an abstract notion that can

be used to represent an entity, a company, or a login ID.一个 Subject 可以包含多个

一个配置文件用来指定认证技术, or LoginModule, to be used with a particular

application. 这样一来, 可以在一个应用中挂接多个不同的 LoginModule 而不用对应用代

码作任何修改.

Code Sample 1 是一个 JAAS 客户的例子. I have used the LoginContext that will invoke

the LoginModules specified in the configuration to 完成认证, 并使用 the LoginContext

with a name "WeatherLogin"进行初始化, and callback handler "MyCallbackHandler"

whose implementation is shown in Code Sample 2. The name will be used as the index in

the Configuration file to determine which LoginModule should be used. 当你看到配置文

件的时候这会变得更清晰. The callback handler is passed to the underlying LoginModule

so that they can communicate and interact with the user to prompt for a

Other callbacks, which are part of the javax.security.auth.callback class,

include:

▪ ChoiceCallback (显示一系列选项)

▪ ConfirmationCallback (ask for YES/NO, OK/CANCEL)

▪ LanguageCallback (the Locale used for localizing text

▪ TextInputCallback (retrieve generic text information)

▪ TextOutputCallback (display information, warning, and error messages)

实现 CallbackHandler 接口意味着 that you need to provide implementation to the

handle method to 取回或显示 the information requested in the provided callbacks. 一个范

例实现如例 2 所示. Note that here I am using the NameCallback to interact with the

现在，让我们研究一个 LoginModule 实现的样例. 注意到事实上应用程序开发者不需要自

己实现 LoginModules; they can use login modules and plug them into their applications.

For example, Sun Microsystems ships several LoginModules including:

JndiLoginModule, KeyStoreLoginModule, Krb5LoginModule, NTLoginModule,

UNIXLoginModule. If you'd like to learn how to use any of these login modules, please

refer to the documentation in the For More Information section at the end of this article.

这个例子非常简单，它仅识别一个 authentication string 和一个 Principal "SunnyDay",

▪ initialize: The purpose of this method is to initialize this LoginModule with

the relevant information. The Subject passed in this method is used to store the

Principals and Credentials if login succeeds. Note that this method takes a

CallbackHanlder that can be used for entering authentication information. In

this example, I do not use the CallbackHandler. The CallbackHandler is

useful as it decouples the services provider from the specific input device being

used.

▪ login: Asks the LoginModule to authenticate the Subject. Note that the

Principal has not been assigned yet.

▪ commit: This method is called if the LoginContext's overall authentication

been split for formatting purposes)

Code Sample 3: WeatherLoginModule.java