1

i have read there, i am using glassfish 3.1.1 security realm configured with sha-256 digest algorithm. is there any tutorial about this ? maybe i am blethering, i am trying to login with this code:

public void login() throws NoSuchAlgorithmException {
    FacesContext context = FacesContext.getCurrentInstance();
    HttpServletRequest request = (HttpServletRequest)context.getExternalContext().getRequest();

    EntityManager em = emf.createEntityManager();
    boolean committed = false;
    try {
        FacesMessage msg = null;
        EntityTransaction entr = em.getTransaction();
        entr.begin();
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-256");
            md.update(password.getBytes());
            byte byteData[] = md.digest();
            StringBuffer sb = new StringBuffer();
            for (int i = 0; i < byteData.length; i++) {
                sb.append(Integer.toString((byteData[i] & 0xff) + 0x100, 16).substring(1));
            }
            password = sb.toString();
            Query query = em.createQuery("SELECT COUNT(u) FROM EntityUser u WHERE u.userName = :userName AND u.password = :password")
                    .setParameter("userName", userName).setParameter("password", password);
            long result = (long)query.getSingleResult();
            if (result == 1) {
                request.login(userName, password);
                msg = new FacesMessage();
                msg.setSeverity(FacesMessage.SEVERITY_INFO);
                msg.setSummary("You are logged in");
            }
            entr.commit();
            committed = true;
        } catch (ServletException e) {
            context.addMessage(null, new FacesMessage("wrong username or password"));
        }
        finally {
            if (!committed) entr.rollback();
        }
    } finally {
        em.close();
    }
}

result variable returns 1, but request.login(userName, password); method in if condition always throws servletexception.

4

3 回答 3

1

您可以发布异常堆栈跟踪吗?这样就更容易理解异常的来源。但是从您当前提供的代码来看,您应该提供

request.login(userName, password);

密码为纯文本密码,而不是散列密码。

Interface HttpServletRequest
ServletException - if the configured login mechanism does not support username password
authentication, or if a non-null caller identity had already been established (prior to 
the call to login), or if validation of the provided username and password fails.
于 2014-01-27T08:12:24.220 回答
0

登录失败可能有很多原因。您刚刚检查了适当的用户和密码是否在表中。Glassfish 在身份验证过程中对两个表进行了两次查询。一到指定为 的表userTable,二到groupTable在安全领域定义中确定。检查 web.xml 和 glassfish-web.xml 是否也正确。

于 2012-05-01T16:41:26.757 回答
0

质疑的问题完全是关于方法的

request.login(用户名,密码);

作者做的一切都是正确的,甚至是他自己使用用户数据库的身份验证方式,但是request.login需要设置身份验证域,才能用于此方法。你有你自己的,你不需要单独的request.login身份验证。对于您需要它的情况 - 这就是您的操作方式jdbc-realm-setup-with-glassfish-v3

所以,在你得到 result=1 之后,你设置你的context.getExternalContext().getSessionMap().put("user", u); 并发送重定向 context.getExternalContext().redirect(context.getExternalContext().getRequestContextPath() + "какой-то модуль.xhtml");

并使用 webfilter 在不登录的情况下阻止对 /Pages/*.xhtml 的访问。

@WebFilter("/Pages/*")
    public class LoggingFilter implements Filter {

        @Override
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
            HttpServletRequest req = (HttpServletRequest)request;
            HttpServletResponse res = (HttpServletResponse)response;
            User user = (User) req.getSession().getAttribute("user");         
            if(user != null){
                chain.doFilter(request,response);
            }  
            else res.sendRedirect(req.getContextPath()+"/запрос_учетных_данных.xhtml");
        }

        @Override
        public void init(FilterConfig filterConfig) throws ServletException {
        }

        @Override
        public void destroy() {
        }
    }
于 2017-01-08T14:03:38.630 回答