★ Appfuse 的用户管理,它用到了容器管理的Form认证方式。
1.appfuse应用采用基于表单的登陆验证方式,登陆请求由login.jsp处理。
web.xml
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
2.通过静态应用,login.jsp将登陆请求委派给loginForm.js处理
login.jsp
<c:import url="/WEB-INF/pages/loginForm.jsp"/>
3. 登陆请求由login servlet截获处理
WEB-INF/pages/loginFrom.jsp
<!—此处/authorize 访问被Servlet拦截-->
<form method="post" id="loginForm" action="<c:url value="/authorize"/>"
onsubmit="saveUsername(this);return validateForm(this)">
web.xml
<context-param>
<param-name>listenPort_http</param-name>
<param-value>8080</param-value>
</context-param>
<使用SSL安全套接字>
<context-param>
<param-name>listenPort_https</param-name>
<param-value>8443</param-value>
</context-param>
<servlet>
<!-- LoginServlet 截获用户登陆请求-->
<servlet-name>login</servlet-name>
<display-name>Login Servlet</display-name>
<servlet-class>org.appfuse.webapp.action.LoginServlet</servlet-class>
<init-param>
<param-name>authURL</param-name>
<param-value>j_security_check</param-value>
</init-param>
<init-param>
<param-name>isSecure</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>encrypt-password</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>algorithm</param-name>
<param-value>SHA</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<servlet-mapping>
<servlet-name>login</servlet-name>
<url-pattern>/authorize/*</url-pattern>
</servlet-mapping>
4.处理登陆请求的LoginServlet,它出来初始化参数,生成处理过后的URL,然后在交由
LoginFilter处理
public void init() throws ServletException {
//取得初始化参数
authURL = getInitParameter(Constants.AUTH_URL);
algorithm = getInitParameter(Constants.ENC_ALGORITHM);
secure = Boolean.valueOf(getInitParameter("isSecure"));
encrypt = Boolean.valueOf(getInitParameter("encrypt-password"));
//存储安全认证参数
config.put(Constants.HTTP_PORT, httpPort);
config.put(Constants.HTTPS_PORT, httpsPort);
//class Constants中的定义
// public static final String SECURE_LOGIN = "secureLogin";
config.put(Constants.SECURE_LOGIN, secure);
config.put(Constants.ENC_ALGORITHM, algorithm);
config.put(Constants.ENCRYPT_PASSWORD, encrypt);
ctx.setAttribute(Constants.CONFIG, config);
★ 以下为appfuse表单认证设置
Web.xml中的设置
<!—任何用户都可以访问passwordHint and signup -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Unrestricted</web-resource-name>
<description>All users can view</description>
<url-pattern>/passwordHint.html</url-pattern>
<url-pattern>/signup.html</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!—所有的用户在访问应用的*.html时,都需要经过权限认证 -->
<security-constraint>
<web-resource-collection>
<web-resource-name>dudu</web-resource-name>
<description>Require users to authenticate</description>
<url-pattern>*.html</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>Define who can access this url-pattern</description>
<!—只有admin 和tomcat两种角色的用户才能访问该应用 -->
<role-name>admin</role-name>
<role-name>tomcat</role-name>
</auth-constraint>
<user-data-constraint>