Java Web Series: JAAS authentication and authorization Foundation
1. Overview of certification and authorization
(1) Authentication: authenticates the user's identity.
. Net based RBS (ref. 1). The core related to authentication and authorization is the two interfaces system.security.principal. And system.security.principal. We implement the authentication process by ourselves to set and read the authentication results. After the authentication is successful, set the authentication status and ID.
Java has built-in (reference 2). The core is javax.security.auth. Class and javax.security. Interface. Java also provides two types for the authentication process, javax.security.auth.login. Class and javax.security.auth.spi. We implement the authentication process ourselves, but as long as we implement loginmodule, we can use consistent syntax through logincontext.
(2) Authorization: to verify the user's permissions, usually using (role) to manage permissions.
. Net supports role-based authorization Net is the core of authorization. There are two ways to use: 1 Use the built-in iprincipal object (for example), load the user's role roles while authenticating. 2. Customize the iprincipal implementation to implement its own IsInRole logic. The logic implemented in asp.net is forwarded to the system.web.security. Static class. Roles rely on the system.web.security. Interface to query roles. We can configure the custom roleprovider through the relevant nodes of web.config.
The iprincipal interface of JAAS does not provide the IsInRole method. We have two choices: either representing roles through multiple iprincipal, or adding role support through custom implementation of iprincipal. Container implemented org apache. catalina. realm. Just talk to me Net Security. Principal. Very similar role implementation.
Java's subject class and iprincipal interface are compatible with Net iprincipal interface and Iidentity interface are not easy to correspond. In order to facilitate unified understanding Net and Java core types. From the understanding of members, we can think that the principal type of Java is equivalent to Net. Subject is just the aggregation root of the principal. The genericprincipal in the Tomcat container mentioned earlier provides hasrole and getname members. The members corresponding to HttpServletRequest implemented by Tomcat are implemented through genericprincipal.
2.. Net web authentication and authorization
ASP. Net forms authentication uses roleprincipal principal. The unauthenticated user is set as genericidentity ID, and the authenticated user is set as formsidentity. Roleprincipal will use the roles static class to verify roles through roleprovider when verifying roles. Through httpcontext User can call the principal directly.
To implement the simplest custom roleprovider, you only need to inherit and implement the getrolesforuser and isuserinrole methods. You can usually use delegates in the application_ The general roleprovider is implemented by injecting in start.
ASP. Net, send and log off the token for authentication through formsauthentication, and configure web Config allows different web servers to encrypt and decrypt tokens in the same way to adapt to web server load balancing. When cookies are not suitable for carrying tokens, you can customize the authentication logic, such as carrying tokens through URL parameters and using SSL for app client authentication.
. Net authentication and authorization diagram:
The example of custom roleprovider omits some code that does not need to be implemented. Getrolesforuserdelegate and isuserinroledelegate are in the application_ Start can completely decouple roleprovider and application service code:
Forms authentication and roleprovider are defined on the web Config configuration file. ASP. Net configuration file example (other configurations are omitted):
. Net also has two methods for configuring pricipal AppDomain. And system AppDomain. And two types of control access system Security. Permissions. And system Security. Permissions.。
3.JAAS
The interface defines six authentication and authorization related methods (), (), (), (), (), (). Similar to ASP Net, forms authentication is also configured in the configuration file. However, because Java is keen to define a bunch of interfaces and postpone the implementation to the container level, the specific configuration of dependencies must also be configured in the container. So in addition to the web XML, you also need to configure the configuration file of JAAS in the container. Schematic diagram of JAAS:
(1) The JAAS built-in login module uses: ntloginmodule:
to configure:
code
(2) Use of login module under JAAS Tomcat container (reference 3):
Used to configure forms authentication: Web xml