Jaas: Flexible Java Security Mechanism (4)

zhaozj2021-02-16  65

Log in to verify using JSP and relational databases Now we want to transfer the programs that are called through the command line until the web application. Since the web application is different from the interaction of the general application, we will not be able to use the standard Callback and CallbackHandler classes provided by JaaS. Because we cannot open a command window in the web program to allow users to enter information. Maybe you will think we can also use HTTP-based authentication so that we can get usernames from the username / password window popped up from the browser. But there are also some problems that require two-way HTTP connections (in the login () method is difficult to achieve two-way connections). So in our example we will use the form to log in, get information entered from the form, and then verify it through the RDBMSLoginModule class.

Since we didn't deal directly with LoginModule, but how did we get the username and password in the LoginModule object through LGOInText. We can use other methods to bypass this problem. For example, we can initialize a Subject object before creating a LoginContext object, saving usernames and passwords in the Subject object's credentials. Then we can pass the Subject object to the constructor of the LoginContext. Although this approach has no problem, it adds a lot of code related to the security mechanism in the application layer. And usually fed to the subject to the Subject after verification, not the previous.

As we mentioned in front of you can implement a CallbackHandler class, then pass it to the LoginContext object. Here we can use a similar approach to handle your username and password. We implemented a new class passiveCallbackHandler. Here is the code used in JSP: