我们目前正在尝试在 Websphere 6.1 Web 容器内实现一个 Web 应用程序,该应用程序使用 Java EE 身份验证机制和基于 FORM 的登录。如果身份验证成功,则一切正常;正在检索 LDAP 成员资格组,正在执行组到角色的映射,并且正在返回角色并由 Web 应用程序正确解释。
如果身份验证不成功,则返回表单登录错误页面。然而,这是一个静态页面,仅显示类似“出现错误”之类的内容。我们如何捕获阻止成功登录的特定错误(用户名/密码不正确、LDAP 存储库不可用、帐户被锁定、密码过期等)?似乎应该有一些简单的方法可以做到这一点,因为您可能希望以不同于其他方式处理某些“安全”异常。
最佳答案
我使用 Struts,所以它会为您转发。如果您没有框架(为什么不呢?),您将不得不手动完成。
Java EE 规范涵盖了 j_security_check servlet。
登录页面将 j_username 和 j_password POST 到 j_security_check servlet。您的应用程序将被配置为错误访问未经授权的页面(请参阅 web.xml),但会(最初)调用 servlet。 401 或 403 将转到禁止访问的页面(同样是 web.xml)
在该 servlet(它扩展了 HttpServlet)中 - 您将检查所有这些好东西。
public final void doGet(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws javax.servlet.ServletException, java.io.IOException
{
// initialize the app
AppInit initializer = new AppInit();
// get the logger
log = new Log4jWrapper(this.getClass());
// initialize the application session
HttpSession sess = request.getSession(true);
sess.setAttribute(CommonConstants.SESSION_CURR_USER_ID, request.getRemoteUser());
// initialize the JSP to forward to based on the user role
String fwdJSP = "SetupMainPage.jsp";
if (request.isUserInRole(CommonConstants.ROLE_MANAGER)) {
log.debug("User is a Manager");
}
//else other role checks - (these are users in groups in the LDAP)
// initialize the application session and set a variable to indicate that
// we are coming from a first time login (not a timeout login)
sess.setAttribute(CommonConstants.SESSION_COMING_FROM_INITIAL_LOGIN,"TRUE");
disp = getServletContext().getRequestDispatcher("SetupMainPage.jsp");
disp.forward(request, response);
}
//else failure
未知用户
[11/22/08 8:54:47:993 EST] 7f6ac69c FormLoginServ E SECJ0118E: Authentication error during authentication for user s
正确的用户 - 错误的密码,但 request.getRemoteUser() 将有一个值
[11/22/08 8:56:45:082 EST] 7f51469c FormLoginServ E SECJ0118E: Authentication error during authentication for user jbsymolo
不幸的是 - 我没有任何人被锁定的例子,但我假设主安全目录 (LDAP) 将有一个用户条目。
这是别人的(所以我不能相信)
I think this page describes how to do what you want to do.
Specifically how to retrieve the authentication exception from an arbitrary underlying authentication source (looks like Websphere calls them user registries).
Throwable t = com.ibm.websphere.security.auth.WSSubject.getRootLoginException();
if (t != null)
t = determineCause(t);Where determineCause() is defined on the same page. This way, even if your server is configured to authenticate against a John Deer tractor, you will have access to the "OutOfGasLoginException" if there is one. The above code can go into the Servlet, Servlet Filter, or JSP that is redirect to by the container (as described above by jsymolon). It simply examines the exceptions and then places a corresponding friendly error message on the resulting page.
关于Java EE 身份验证错误处理,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/461886/