I'm trying to implement a loginmodule so I can perform a "remember me" feature on my web app as well as hash my password with bcrypt. To build the class I used this tutorial. However I didn't manage to connect after implementing this. The passwords in db are hashed via SHA-256 at the moment and I suspect it is the reason why.
public class TestAuthModule implements
javax.security.auth.message.module.ServerAuthModule {
@SuppressWarnings("rawtypes")
protected static final Class[] supportedMessageTypes = new Class[] {
HttpServletRequest.class, HttpServletResponse.class };
private CallbackHandler handler;
public void initialize(MessagePolicy requestPolicy,
MessagePolicy responsePolicy, CallbackHandler handler,
@SuppressWarnings("rawtypes") Map options) throws AuthException {
System.out.println("initialize called.");
this.handler = handler;
}
@SuppressWarnings("rawtypes")
public Class[] getSupportedMessageTypes() {
return supportedMessageTypes;
}
public AuthStatus validateRequest(MessageInfo messageInfo,
Subject clientSubject, Subject serverSubject) throws AuthException {
HttpServletRequest request = (HttpServletRequest) messageInfo
.getRequestMessage();
String user = request.getParameter("user");
String group = request.getParameter("group");
System.out.println("validateRequest called.");
System.out.println("User = " + user);
System.out.println("Group = " + group);
authenticateUser(user, group, clientSubject, serverSubject);
return AuthStatus.SUCCESS;
}
public AuthStatus secureResponse(MessageInfo msgInfo, Subject service)
throws AuthException {
System.out.println("secureResponse called.");
return AuthStatus.SEND_SUCCESS;
}
public void cleanSubject(MessageInfo msgInfo, Subject subject)
throws AuthException {
if (subject != null) {
subject.getPrincipals().clear();
}
}
private void authenticateUser(String user, String group,
Subject clientSubject, Subject serverSubject) {
System.out
.println("Authenticating user " + user + " in group " + group);
CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(
clientSubject, user);
GroupPrincipalCallback groupPrincipalCallback = new GroupPrincipalCallback(
clientSubject, new String[] { group });
try {
handler.handle(new Callback[] { callerPrincipalCallback,
groupPrincipalCallback });
} catch (Exception e) {
e.printStackTrace();
}
}
}
and I login like this (which did work before implementing a custom loginmodule):
private String username;
private Password password;
//....
try {
request.login(username, password + salt);
} catch (ServletException e)
Also on my pages I used to have a register and a sign in button that were displayed only if the user was null if not I had the username at the top. Now that I implemented this it's like the user is connected as "ANONYMOUS" (so there is "you are connected as ANONYMOUS" at the top of the page. To prevent this I did a temporary fix:
if (username == null || username.equals("ANONYMOUS")) {
this.isUserConnected = false;
} else {
this.isUserConnected = true;
}
I tried :
isUserInGroup("ANONYMOUS");
but there is no user so I'm getting a npe. I'm not sure how to go about this as well.
Aucun commentaire:
Enregistrer un commentaire