I m trying to use Jaas, Java Authentication and Autorisation service. The server is App Engine so, it is impossible to edit web.xml. I m using a servlet filter like:
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
try {
LoginContext lc = new LoginContext("JaasSample", new AuthenticationCallbackHandler());
lc.login();
chain.doFilter(request, response);
lc.logout();
} catch (LoginException e) { /* lc.login() fails */}
}
要求LoginContext检查一项政策,并提出以下例外:
java.security.AccessControlException:
access denied (javax.security.auth.AuthPermission createLoginContext.JaasSample)
The code I m using is from Oracle reference. They explain that in presence of a Security Manager, it is necessary to grant some rights in this fashion:
grant {
permission javax.security.auth.AuthPermission "createLoginContext.JaasSample";
}
我不理解为什么要在联合调查报告中这样做。
我可以绕过这次检查——D-enable_all_permissions=true in the Rugiguration。 (待补)然后,Jaas配置文件在系统查询。 是否在项目资源中? 如何在地方/生产中发挥作用?
组合文件如下:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required;
};
非常感谢。
ps. Spring Security can be use with Jaas and works on App Engine. pps. Spring Security can not be used because it starts Spring context which slow down App Engine startup. And the startup in this environment is done all the time.