我想保护我在 WildFly 9 服务器上运行的 web 应用程序。
我有一个带有 2 个表users(login, password)和roles(login, role).
首先,我配置了这样的 BASIC 身份验证:
独立的.xml:
<security-domain name="mydomain" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/myDS"/>
<module-option name="principalsQuery" value="select password from users where login=?"/>
<module-option name="rolesQuery" value="select role, 'Roles' from roles where login=?"/>
</login-module>
</authentication>
</security-domain>
网页.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>name</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/mydomain</security-domain>
</jboss-web>
它工作正常,但这是一个不好的做法,因为密码通过网络以明文形式发送并以相同的方式存储在数据库中。因此,我尝试将 BASIC 更改为 DIGEST 这样做:
Standalone.xml:添加了一些选项模块
<security-domain name="mydomain" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/myDS"/>
<module-option name="principalsQuery" value="select password from users where login=?"/>
<module-option name="rolesQuery" value="select role, 'Roles' from roles where login=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="RFC2617"/>
<module-option name="hashUserPassword" value="false"/>
</login-module>
</authentication>
</security-domain>
web.xml:更改了登录配置部分
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>
但我有这个错误:
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=dsJndiName, value=java:jboss/datasources/proxysnmpDS
name=principalsQuery, value=select passwd from LOGIN where login=?
name=hashUserPassword, value=false
name=rolesQuery, value=select role, 'Roles' from USER_ROLES where login=?
name=hashEncoding, value=RFC2617
name=hashAlgorithm, value=MD5
15:03:06,676 TRACE [org.jboss.security 137] (default task-2) PBOX00236: Begin initialize method
15:03:06,676 DEBUG [org.jboss.security 154] (default task-2) PBOX00281: Password hashing activated, algorithm: MD5, encoding: RFC2617, charset: null, callback: null, storeCallBack: null
15:03:06,676 TRACE [org.jboss.security 133] (default task-2) PBOX00262: Module options [dsJndiName: java:jboss/datasources/proxysnmpDS, principalsQuery: select passwd from LOGIN where login=?, rolesQuery: select role, 'Roles' from USER_ROLES where login=?, suspendResume: true]
15:03:06,676 TRACE [org.jboss.security 186] (default task-2) PBOX00240: Begin login method
15:03:06,682 TRACE [org.jboss.security 182] (default task-2) PBOX00263: Executing query select passwd from LOGIN where login=? with username admin
15:03:06,693 DEBUG [org.jboss.security 287] (default task-2) PBOX00283: Bad password for username admin
15:03:06,694 TRACE [org.jboss.security 269] (default task-2) PBOX00244: Begin abort method, overall result: false
15:03:06,694 DEBUG [org.jboss.security 368] (default task-2) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.9.2.Final.jar:4.9.2.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_60]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_60]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_60]
...
我认为这是因为从 webapp 登录系统收到的哈希密码和数据库中的哈希密码不一样。我在数据库中的散列密码是login:realm:password.
有人可以告诉我出了什么问题吗?