JDBC Realm Login Page

2019-01-20 06:07发布

问题:

i tried to create a login page using JDBC realm but did not works.

My steps :

  1. Create database, user and group table
  2. Create connection pool and data source, custom realm.
  3. Add security roles mapping, login constraint, security constraint and security roles.
  4. Create login jsp and login servlet

I can ping the connection pool during creation.

What is the minimal configuration require to perform the above task ?

My Code :

create table login
(
  username varchar(128) NOT NULL CONSTRAINT usernamePk primary key, 
  password varchar(128) NOT NULL 
);

insert into Login values('peterwkc', '1234');


create table grouptable
(
        username varchar(128) NOT NULL,
        groupid  varchar(128) NOT NULL,
        CONSTRAINT GROUP_PK PRIMARY KEY(username, groupid),
        CONSTRAINT USER_FK FOREIGN KEY(username) REFERENCES Login (username)
            ON DELETE CASCADE ON UPDATE RESTRICT
);

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>faces/Login.jsp</welcome-file>
    </welcome-file-list>
    <security-constraint>
        <display-name>LoginConstraint</display-name>
        <web-resource-collection>
            <web-resource-name>MyResource</web-resource-name>
            <description/>
            <url-pattern>/LoginController</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>User</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>Login</realm-name>
        <form-login-config>
            <form-login-page>/Login.jsp</form-login-page>
            <form-error-page>/Error.jsp</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <description/>
        <role-name>User</role-name>
    </security-role>
    <security-role>
        <description/>
        <role-name>Admin</role-name>
    </security-role>
</web-app>

glassfish-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
  <context-root>/JDBC_Realm</context-root>
  <security-role-mapping>
    <role-name>User</role-name>
    <group-name>User</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>Admin</role-name>
    <principal-name>peterwkc</principal-name>
  </security-role-mapping>
  <class-loader delegate="true"/>
  <jsp-config>
    <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
  </jsp-config>
</glassfish-web-app>

Login.jsp :

<%@page contentType="text/html" pageEncoding="UTF-8"%>

<%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%>
<%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  "http://www.w3.org/TR/html4/loose.dtd">

<%--
    This file is an entry point for JavaServer Faces application.
--%>
<f:view>
  <html>
    <head>
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
      <title>JSP Page</title>
    </head>
    <body>
      <h1><h:outputText value="JavaServer Faces"/></h1>

      <form action="LoginController" method="POST" id="LoginForm" name="LoginForm">
        Username : <input type="text" name="username" /><p></p>
        Password : <input type="password" name="password" />

        <input type="submit" name="submit" value="Login"/>

      </form>

    </body>
  </html>
</f:view>

LoginController.java :

@WebServlet(name = "LoginController", urlPatterns = {"/LoginController"})
public class LoginController extends HttpServlet {

  @Override
  public void init() throws ServletException {
    getServletConfig();
  }

  @Override
  public void destroy() {
  }

  /** 
   * Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
   * @param request servlet request
   * @param response servlet response
   * @throws ServletException if a servlet-specific error occurs
   * @throws IOException if an I/O error occurs
   */
  protected void processRequest(HttpServletRequest request, HttpServletResponse response)
          throws ServletException, IOException {
    response.setContentType("text/html;charset=UTF-8");
    PrintWriter out = response.getWriter();
    try {
      /* TODO output your page here
      out.println("<html>");
      out.println("<head>");
      out.println("<title>Servlet LoginController</title>");  
      out.println("</head>");
      out.println("<body>");
      out.println("<h1>Servlet LoginController at " + request.getContextPath () + "</h1>");
      out.println("</body>");
      out.println("</html>");
       */
    } finally {      
      out.close();
    }
  }

  // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
  /** 
   * Handles the HTTP <code>GET</code> method.
   * @param request servlet request
   * @param response servlet response
   * @throws ServletException if a servlet-specific error occurs
   * @throws IOException if an I/O error occurs
   */
  @Override
  protected void doGet(HttpServletRequest request, HttpServletResponse response)
          throws ServletException, IOException {
//        processRequest(request, response);
    PrintWriter out = null;

    try {

      response.setContentType("text/html;charset=UTF-8");
      out = response.getWriter();


    } finally {
      out.close();
    }
  }

  /** 
   * Handles the HTTP <code>POST</code> method.
   * @param request servlet request
   * @param response servlet response
   * @throws ServletException if a servlet-specific error occurs
   * @throws IOException if an I/O error occurs
   */
  @Override
  protected void doPost(HttpServletRequest request, HttpServletResponse response)
          throws ServletException, IOException {
    processRequest(request, response);
  }

  /** 
   * Returns a short description of the servlet.
   * @return a String containing servlet description
   */
  @Override
  public String getServletInfo() {
    return "Short description";
  }// </editor-fold>
}

I follow this tutorial. http://blog.gamatam.com/2009/11/jdbc-realm-setup-with-glassfish-v3.html

Questions : 1. Why my code does not working ?

Please help. Thanks.

回答1:

If you followed the tutorial, Glassfish expects to find MD5 hashes of the passwords in usertable. But you inserted 1234. You will either have to insert the MD5 hash of 1234 which is: 81dc9bdb52d04dc20036dbd8313ed055 or you could tell Glassfish to use plain passwords, but I don't know what to put in the Digest then.

HTH

EDIT

In the tutorial the realm name is security but in your web.xml it is named Login

EDIT 2

There is even more wrong: To use the automatic login mechanism of Glassfish the form in your Login.jsp should have action="j_security_check" and the names for user and password should be j_username and j_password respectively.

Also see Matt Handy's answer and comment and provide some more details (such as error message or so). Otherwise it's very difficult to help if you just say "It doesn't work"



回答2:

Configuring jdbc realm is a bit tricky. You gave a lot information in your question, but you missed to describe the error behavior.

Some ideas:

You have a group table, but does it contain the line (peterwkc, User)?

Did you store the hash of your password?

How does your JDBC realm configuration look like?

If you set the logging of the security module to finest, what's in server.log?



回答3:

Check this out as I've analytically answered your question (minor mistakes may be inside):
JDBC Realm Form Authentication How To