java - 使用 CustomFormAuthenticationMechanism 使登录页面正常工作，而无需访问受限资源

Question

我正在使用 TomEE 8.0.8 网络配置文件。这是一个最小的例子：

@WebServlet("/login")
@CustomFormAuthenticationMechanismDefinition(
        loginToContinue = @LoginToContinue(loginPage = "/WEB-INF/views/login.jsp"))
public class LoginServlet extends HttpServlet {
    @Inject SecurityContext securityContext;

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        req.getRequestDispatcher("/WEB-INF/views/login.jsp").forward(req, resp);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

        String username = req.getParameter("username");
        String password = req.getParameter("pass");

        Credential credential = new UsernamePasswordCredential(username, password);
        AuthenticationStatus authenticate =
                securityContext.authenticate(req, resp, withParams().credential(credential));

    }
}

保留页面（仅限经过身份验证的用户）

@WebServlet("/protected")
@ServletSecurity(@HttpConstraint(rolesAllowed = {"admin"}))
public class ProtectedResource extends HttpServlet {

    @Inject
    Principal principal;

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        System.out.println(principal.getName());
    }
}

如果我以未经身份验证的用户身份进入“/protected”，Web 服务器会将我重定向到登录页面，我可以在其中提交我的凭据，然后重定向到我想查看的页面。这按预期工作。

问题在于我只想登录而不访问任何受保护的资源：如果我转到“/login”并提交我的凭据，它们将不会保存在会话中。事实上，如果我尝试打开“/protected”，它仍然表现得好像还没有进行身份验证。

可能是什么问题？JSR 375 谈论“processCallerInitiatedAuthentication”和“processContainerInitiatedAuthentication”，涉及newAuthentication参数，但我无法让它工作。

更新：securityContext.authenticate(req, resp, authparams)如果由受保护的资源或登录页面本身调用，调用似乎具有相似的结果：Principal保存在请求中而不是会话中。

实际的区别在于，TomEE 过滤器（我猜是 s）调用之后 ，进入一个特定的 if 分支（第 902 行），在那里检查前面提到的内容，然后将身份验证状态保存在会话中。这仅在尝试访问受限资源后登录时才会发生。LoginServlet#doGetOpenEJBSecurityListener$RequestCaptureAuthenticatorBase#authenticateJaspicPrincipal

现在我将制作一个虚拟保护页面来模拟调用者发起的身份验证过程，但我想知道在这方面还可以做些什么。

更新 2：这里是org.apache.catalina.authenticator.AuthenticatorBase.

如果我访问受保护的资源

## I open the protected page
02-Jan-2022 19:02:00.278 FINE [http-nio-8080-exec-74] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /myapp/protected
02-Jan-2022 19:02:00.278 FINE [http-nio-8080-exec-74] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
02-Jan-2022 19:02:00.278 FINE [http-nio-8080-exec-74] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
02-Jan-2022 19:02:00.280 FINE [http-nio-8080-exec-74] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test

## I submit the form
02-Jan-2022 19:02:22.865 FINE [http-nio-8080-exec-76] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request POST /myapp/doLogin
02-Jan-2022 19:02:22.865 FINE [http-nio-8080-exec-76] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
02-Jan-2022 19:02:22.865 FINE [http-nio-8080-exec-76] org.apache.catalina.authenticator.AuthenticatorBase.authenticateJaspic Authenticated user: null
02-Jan-2022 19:02:22.865 FINE [http-nio-8080-exec-76] org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed all security constraints
02-Jan-2022 19:02:22.974 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /myapp/protected
02-Jan-2022 19:02:22.975 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
02-Jan-2022 19:02:22.975 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
02-Jan-2022 19:02:22.976 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.authenticateJaspic Authenticated user: GenericPrincipal[admin(admin,user,)]
02-Jan-2022 19:02:22.976 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated 'admin' with type 'JASPIC'
02-Jan-2022 19:02:22.976 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.changeSessionID Session ID changed on authentication from [F169FEBAA4C7EF7FC32445F146BCAC9E] to [932FF01A3F035B80E93464E8CB25853B]
02-Jan-2022 19:02:22.976 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
02-Jan-2022 19:02:22.977 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed all security constraints

如果我直接访问登录页面

# If i access the login page directly
02-Jan-2022 19:04:20.245 FINE [http-nio-8080-exec-80] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /myapp/login
02-Jan-2022 19:04:20.246 FINE [http-nio-8080-exec-80] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
02-Jan-2022 19:04:20.290 FINE [http-nio-8080-exec-80] org.apache.catalina.authenticator.AuthenticatorBase.authenticateJaspic Authenticated user: null
02-Jan-2022 19:04:20.290 FINE [http-nio-8080-exec-80] org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed all security constraints

# I submit the form
02-Jan-2022 19:04:48.657 FINE [http-nio-8080-exec-76] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request POST /myapp/login
02-Jan-2022 19:04:48.657 FINE [http-nio-8080-exec-76] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
02-Jan-2022 19:04:48.657 FINE [http-nio-8080-exec-76] org.apache.catalina.authenticator.AuthenticatorBase.authenticateJaspic Authenticated user: null
02-Jan-2022 19:04:48.657 FINE [http-nio-8080-exec-76] org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed all security constraints
02-Jan-2022 19:04:48.977 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /myapp/images/logo.ico
02-Jan-2022 19:04:48.978 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
02-Jan-2022 19:04:48.978 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.authenticateJaspic Authenticated user: null
02-Jan-2022 19:04:48.978 FINE [http-nio-8080-exec-77] org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed all security constraints