这个要查看代码:
http://www.javakey.net/source/jboss/4.x/org/jboss/web/tomcat/security/login/WebAuthentication.java.html
从这里可以看到,如何从tomcat中获取当前激活的
org.apache.catalina.connector.Request(http://www.docjar.com/html/api/org/apache/catalina/connector/Request.java.html)的后门方法
Request request = (Request) SecurityAssociationValve.activeRequest.get();
这个方式是非常cool的
.这里实际调用了Request上下文的RealM的authenticate多元方法.
这个方法是在tomcat web.xml里通过
比如:jboss 4.2.3GA. server\default\deploy\jboss-web.deployer\server.xml
里定义:
<realm classname="org.jboss.web.tomcat.security.JBossSecurityMgrRealm" certificateprincipal="org.jboss.security.auth.certs.SubjectDNMapping" allrolesmode="authOnly">
Jboss相关类源代码:http://www.javakey.net/source/jboss/4.x/allClasses.html
整个工作流程:
JAASRealm authenticates the user and creates a GenericPrincipal with
userPrincipal set to some principal returned by LoginModule.
Later RealmBase.hasResourcePermission() calls request.getUserPrincipal()
to recover authenticated user principal
Request.getUserPrincipal() checks if the principal is instanceof
GenericPrincipal, and if it is, it returns its userPrincipal.
RealmBase.hasRole() checks if the principal is instanceof GenericPrincipal
and if not it fails immediately.
Note: previous versions of JAASRealm had their own hasRole() implementation.
Note: request.isUserInRole() is not getting userPrincipal from
GenericPrincipal when calling realm.hasRole() and this one seems to
work.