2

I'm having a web-application that is secured with HTTP-Basic auth. I also implemented a filter using the ServletRequestListener interface. Now when the filter calls the requestInitialized method, the getUserPrincipal-Method of the request returns null. But when I check the request headers, the authorization-header is set with the encrypted value. Here's the code:

@Override
public void requestInitialized(ServletRequestEvent e) {

  HttpServletRequest request = (HttpServletRequest) e.getServletRequest();

  //p is null
  Principal p = request.getUserPrincipal();

  Enumeration<String> enH = request.getHeaders("Authorization");
  while (enH.hasMoreElements()) {
    String s = enH.nextElement();
    System.out.println(s);
    //prints. 
    //Basic c3RhY2tvdmVyZmxvdzpteXBhc3N3b3Jk
  }
}

Why is the userprincipal not initialized?

4

2 回答 2

2

您可能没有为嵌入式码头设置所需的安全层。

这是在Jetty 嵌入式示例源代码树找到的示例。

package org.eclipse.jetty.embedded;

import java.util.Collections;
import java.util.HashSet;
import java.util.Set;

import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.HashLoginService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.authentication.BasicAuthenticator;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.util.security.Constraint;

public class SecuredHelloHandler
{
    public static void main(String[] args) throws Exception
    {
        Server server = new Server(8080);

        LoginService loginService = new HashLoginService("MyRealm","src/test/resources/realm.properties");
        server.addBean(loginService); 

        ConstraintSecurityHandler security = new ConstraintSecurityHandler();
        server.setHandler(security);

        Constraint constraint = new Constraint();
        constraint.setName("auth");
        constraint.setAuthenticate( true );
        constraint.setRoles(new String[]{"user", "admin"});

        ConstraintMapping mapping = new ConstraintMapping();
        mapping.setPathSpec( "/*" );
        mapping.setConstraint( constraint );

        Set<String> knownRoles = new HashSet<String>();
        knownRoles.add("user");
        knownRoles.add("admin");

        security.setConstraintMappings(Collections.singletonList(mapping), knownRoles);
        security.setAuthenticator(new BasicAuthenticator());
        security.setLoginService(loginService);
        security.setStrict(false);

        // Your Handler (or Servlet) that should be secured
        HelloHandler hh = new HelloHandler();

        security.setHandler(hh);

        server.start();
        server.join();
    }
}
于 2013-04-23T16:48:43.243 回答
1

我通过使用过滤器而不是侦听器来解决它..

@WebFilter(urlPatterns = { "/*" })
public class RequestFilter implements Filter {

@Override
public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain fChain) throws IOException, ServletException {
    HttpServletRequest hReq = (HttpServletRequest) req;
    //p is not null anymore
    Principal p = hReq.getUserPrincipal();
    fChain.doFilter(hReq, res);
}

@Override
public void destroy() {
}

@Override
public void init(FilterConfig config) throws ServletException {
}
}
于 2013-04-26T08:54:30.400 回答