星期三, 九月 10, 2008

JBOSS JAAS和tomcat j_security_check CMS关系(之二)

Jboss 的 WebAuthentication的login方法到底做了什么工作?将JAAS和tomcat container链接了起来?
这个要查看代码:

http://www.javakey.net/source/jboss/4.x/org/jboss/web/tomcat/security/login/WebAuthentication.java.html

从这里可以看到,如何从tomcat中获取当前激活的
 org.apache.catalina.connector.Request(http://www.docjar.com/html/api/org/apache/catalina/connector/Request.java.html)
的后门方法

Request request = (Request) SecurityAssociationValve.activeRequest.get();

这个方式是非常cool的
.这里实际调用了Request上下文的RealM的
authenticate多元方法.
这个方法是在tomcat web.xml里通过来定义的。
比如:jboss 4.2.3GA. server\default\deploy\jboss-web.deployer\server.xml
里定义:
<realm classname="org.jboss.web.tomcat.security.JBossSecurityMgrRealm" certificateprincipal="org.jboss.security.auth.certs.SubjectDNMapping" allrolesmode="authOnly">

Jboss相关类源代码:http://www.javakey.net/source/jboss/4.x/allClasses.html
整个工作流程:
JAASRealm authenticates the user and creates a GenericPrincipal with
userPrincipal set to some principal returned by LoginModule.

Later RealmBase.hasResourcePermission() calls request.getUserPrincipal()
to recover authenticated user principal

Request.getUserPrincipal() checks if the principal is instanceof
GenericPrincipal, and if it is, it returns its userPrincipal.

RealmBase.hasRole() checks if the principal is instanceof GenericPrincipal
and if not it fails immediately.

Note: previous versions of JAASRealm had their own hasRole() implementation.

Note: request.isUserInRole() is not getting userPrincipal from
GenericPrincipal when calling realm.hasRole() and this one seems to

work.