写过Jsp的必然知道, servlet有4中认证方式: basic, digest, form-based, ssl. basic和digest都是http协议的标准, ssl也有专门的rfc, form-based好像是servlet独有的.
Java有一套api叫做JAAS(Java Authentication and Authorization Service). 这个东西以前我也没见过, 说是包含authentication和authorization两块. authentication是plugable的, 其实就是用config file代替hard code, 然后加了一个strategy模式(callback handler的使用). authorization的实现也是基于config file. 看一段代码就大概知道什么样子了:
import javax.security.auth.Subject;非粗体的是认证部分, 粗体的是授权部分, My开头的类都是自己要实现的类. 可以看到所有的认证以后的信息实际上都被封装到了一个Subject的实例中去了, 于是之后再调用doAsPrivileged()按权限做事就行了.
import java.security.PrivilegedAction;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
public class MyClient {
public static void main(String argv[]) {
LoginContext ctx = null;
try {
ctx = new LoginContext("WeatherLogin", new MyCallbackHandler());
} catch(LoginException le) {
System.err.println("LoginContext cannot be created. "+ le.getMessage());
System.exit(-1);
} catch(SecurityException se) {
System.err.println("LoginContext cannot be created. "+ se.getMessage());
}
try {
ctx.login();
} catch(LoginException le) {
System.out.println("Authentication failed");
System.exit(-1);
}
System.out.println("Authentication succeeded");
Subject subject = ctx.getSubject();
PrivilegedAction action = new MyAction();
Subject.doAsPrivileged(subject, action, null);
try {
ctx.logout();
} catch(LoginException le) {
System.out.println("Logout: " + le.getMessage());
}
}
}
参考:
http://www.modperl.com/book/chapters/ch6.html
http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html
http://java.sun.com/developer/technicalArticles/Security/jaasv2/
http://en.wikipedia.org/wiki/Basic_access_authentication
http://en.wikipedia.org/wiki/Digest_access_authentication
http://en.wikipedia.org/wiki/Secure_Sockets_Layer