我正在过渡到 GlassFish 3.1.2,但似乎无法解决身份验证问题。
议程很简单:我想要一个登录 bean 为用户进行编程身份验证。身份验证似乎有效(代码通过 login() 方法),但服务器最终显示受保护资源的 403 ......请帮助:)
这里有更多细节。有一个带有名称/密码对的纯 JSF 登录页面:
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:p="http://primefaces.org/ui" template="/templates/main.xhtml">
<ui:define name="body">
<h:form id="form">
<p:messages />
<p:panel>
<h:panelGrid>
<h:outputText value="User Name" />
<p:inputText value="#{loginBean.userName}" id="userName"
required="true" />
<p:message for="userName" />
<h:outputText value="Password" />
<p:password value="#{loginBean.password}" id="password"
required="true" />
<p:message for="password" />
</h:panelGrid>
<h:panelGrid columns="2">
<p:commandButton value="Clear"
actionListener="#{loginBean.clear()}" ajax="false" />
<p:commandButton value="Login" action="#{loginBean.login()}"
ajax="false" />
</h:panelGrid>
</p:panel>
</h:form>
</ui:define>
</ui:composition>
和一个执行登录的 bean
@Named("loginBean")
@SessionScoped
public class LoginBean implements Serializable {
private static final long serialVersionUID = 1L;
@Inject
@Named("dao")
private Dao dao;
private String userName;
private String password;
@Inject
private UserBean userBean;
...
public String login() {
HttpServletRequest request = (HttpServletRequest) FacesContext
.getCurrentInstance().getExternalContext().getRequest();
try {
request.login(getUserName(), getPassword());
Principal principal = request.getUserPrincipal();
logger.info("Logged in successfully: " + principal);
} catch (ServletException e) {
Messages.addError("Invalid user name or password.");
return null;
}
User user = dao.findSingle("SELECT u FROM User AS u WHERE u.name = ?1",
getUserName());
if (user == null) {
logger.severe("Unable to find user record after successful authentication");
Messages.addError("Unable to load user record");
try {
request.logout();
} catch (ServletException e) {
logger.log(Level.SEVERE, "Unable to logout after failed login attempt", e);
}
return null;
}
getUserBean().setUser(user);
return "/list/list.xhtml?faces-redirect=true";
}
...
accessors
...
}
这是我的 web.xml
<?xml version='1.0' encoding='UTF-8'?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>GM</display-name>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<!-- Faces Servlet -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<login-config>
<realm-name>gmRealm</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/list/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Area</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<welcome-file-list>
<welcome-file>login.xhtml</welcome-file>
</welcome-file-list>
</web-app>
这是项目的文件夹结构:
我还能够按照此处讨论的方式设置领域:http: //blog.gamatam.com/2009/11/jdbc-realm-setup-with-glassfish-v3.html
没什么特别的,AFAICT。
但是,每当我在成功登录后访问受保护的资源时,我都会得到:
HTTP Status 403 - Access to the requested resource has been denied
尽管服务器日志包含以下消息:
INFO: Logged in successfully: nick
另请注意,当我从 login() 方法的返回值中删除“?faces-redirect = true”时,初始受保护资源在登录后立即呈现,但所有后续请求都失败并出现 403。
这是它在调试器中显示的内容:
我也认为我已经完成了我的功课:
使用 j_security_check 在 Java EE / JSF 中执行用户身份验证
Glassfish 3 安全性 - 使用 JDBC 领域的基于表单的身份验证
请帮忙...