安全:JAAS LoginModule

本文不对JAAS进行详细的讨论,但给大家简单的介绍一下。在JAAS架构中,当用户登录系统时,系统给用户一个Subject,Subject中包含有一个或多个Principal。每个Principal给用户提供身份验证,例如用户ID,也可以验证组和角色。Subject也包含公有的和私有的许可证(credential),例如X.509证书、私钥等。JAAS通过公开的Permission进行授权,Permission是在外部Policy 文件里进行维护的。本文也不讨论授权。就像下面所讨论的,实际的登录过程是由LoginModule来处理的。如果你想了解更多的信息,这里有相关 JAAS的详细介绍:http://www.javaworld.com/javaworld/jw-09-2002/jw-0913- jaas.html。
实现Hibernate JAAS LoginModule的第一步是定义一个或多个Principal。下面是一个典型的实例,但是记住你能把你想要的任何事物――用户ID,E-mail 地址,电话号码,公钥――填进Principal中是很重要的,这些事物都能在持久化的User对象中发现。

final public class HibernatePrincipal implements Principal {
private String name;
public HibernatePrincipal() {
name = "";
public HibernatePrincipal(String name) {
this.name = name;
public String getName() {
return name;
public int hashCode() {
return name.hashCode();
public boolean equals(Object o) {
if (!(o instanceof HibernatePrincipal)) {
return false;
return name.equals(((HibernatePrincipal) o).name);
public String toString() {
return name;


public void foo(Principal p) {
if (p instanceof HibernatePrincipal) {
// use this instead
if (p.getClass().equals(HibernatePrincipal.class)) {
// or even this
if (p.getClass().getName().equals(HibernatePrincipal.getClass().getName()) {

既然有了Principal,我们可以为JAAS LoginModule包装一些标准的Hibernate代码。
* HibernateLoginModule is a LoginModule that authenticates
* a given username/password credential against a Hibernate
* session.
* @see javax.security.auth.spi.LoginModule
public class HibernateLoginModule implements LoginModule {

// initial state
CallbackHandler handler;
Subject subject;
Map sharedState;
Map options;
Digest digest;

// temporary state
Vector principals;

// authentication status
boolean success;

// configurable options
boolean debug;

/** Hibernate session factory */
SessionFactory sf = null;

/** Hibernate query */
private static final String query =
"from u in class " + User.class + " where u.name=?";

public HibernateLoginModule() {
credentials = new Vector();
principals = new Vector();
success = false;
debug = false;

* Initialize our state.
public void initialize (Subject subject, CallbackHandler handler,
Map sharedState, Map options) {

this.handler = handler;
this.subject = subject;
this.sharedState = sharedState;
this.options = options;

if (options.containsKey("debug")) {
debug = "true".equalsIgnoreCase((String) options.get("debug"));
if (options.containsKey("digest")) {
digest = new Digest((String) options.get("digest"));
} else {
digest = new Digest();

// elided: standard code to get Hibernate =SessionFactory=.

* First phase of login process.
public boolean login() throws LoginException {
if (handler == null) {
throw new LoginException("Error: no CallbackHandler available");

try {
Callback[] callbacks = new Callback[] {
new NameCallback("User: "),
new PasswordCallback("Password: ", false)


String username = ((NameCallback) callbacks[0]).getName();
char[] password = ((PasswordCallback) callbacks[1]).getPassword();

((PasswordCallback) callbacks[1]).clearPassword();

success = validate(username, password);

callbacks[0] = null;
callbacks[1] = null;

if (!success) {
throw new LoginException("Authentication failed: Password does not match");
return true;
} catch (LoginException e) {
throw e;
} catch (Exception e) {
success = false;
throw new LoginException(e.getMessage());

* Second phase of login - by now we know user is authenticated
* and we just need to update the subject.
public boolean commit() throws LoginException {
if (success) {
if (subject.isReadOnly()) {
throw new LoginException("Subject is read-only");

try {
Iterator i = principals.iterator();
return true;
} catch (Exception e) {
throw new LoginException(e.getMessage());
} else {
return true;

* Second phase - somebody else rejected user so we need to
* clear our state.
public boolean abort() throws LoginException {
success = false;
return true;

* User is logging out - clear our information from the subject.
public boolean logout() throws LoginException {

// remove the principals the login module added
Iterator i = subject.getPrincipals(HibernatePrincipal.class).iterator();
while (i.hasNext()) {
HibernatePrincipal p = (HibernatePrincipal) i.next();

return true;

* Validate the user name and password. This is the Hibernate-specific
* code.
private boolean validate(String username, char[] password) throws Exception {
boolean valid = false;
List users = null;

Session s = null;
try {
s = sf.openSession();
users = (List) s.find(query, username, Hibernate.STRING);
} catch (Exception e) {
} finally {
if (s != null) {
try { s.close(); } catch (HibernateException e) { }

// are there no matching records?...
if (users == null || users.size() == 0) {
return false;

// compare passwords...
User user = (User) users.get(0);
String hash = user.getPassword();
if (hash != null && password != null && password.length > 0) {
valid = hash.equals(digest.digest(new String(password)));

if (valid) {
this.principals.add(new HibernatePrincipal(user.getId(),
return valid;
例子中,我们利用了Tomcat类库中密码digest功能(password digest function)(你要为HexUtils类载入catalina.jar文件)。
import org.apache.catalina.util.HexUtils;

* Quick and dirty password digest function. The HexUtils class
* comes from the Tomcat catalina.jar.
public class Digest {

static MessageDigest md = null;

public Digest() {

public Digest(String digest) {
try {
md = MessageDigest.getInstance(digest);
} catch (NoSuchAlgorithmException e) {
try {
md = MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException e) { }

* Digest function from Tomcat.
public String digest(String credentials) {
if (md == null) {
return credentials;

synchronized (this) {
try {
return (HexUtils.convert(md.digest()));
} catch (Exception e) {
return credentials;
Example {
HibernateLoginModule required debug="true";
* simple CallbackHandler suitable for testing purposes
public static class Handler implements CallbackHandler {

private Test t;
private String username;
private char[] credentials;

public Handler(Test t, String username, char[] credentials) {
this.t = t;
this.username = username;
this.credentials = credentials;

public void handle(Callback callbacks[])
throws IOException, UnsupportedCallbackException {

for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof NameCallback) {
((NameCallback) callbacks[i]).setName(username);
else if (callbacks[i] instanceof PasswordCallback) {
((PasswordCallback) callbacks[i]).setPassword(credentials);
} else {
throw new UnsupportedCallbackException(callbacks[i]);
* Simple JAAS-aware application.
public class Test {

LoginContext l = null;

* attempt to log in as the user, returning the =Subject=
* if successful.
public Subject login(String username, char[] credentials) {
try {
CallbackHandler cb = new Handler(this, username, credentials);
l = new LoginContext("Example", cb);
} catch (LoginException e) {
return null;

Subject subject = null;
try {
subject = l.getSubject();
if (subject == null) {
return null;
} catch (AccountExpiredException e) {
} catch (CredentialExpiredException e) {
} catch (FailedLoginException e) {
} catch (LoginException e) {
return subject;

* log out of application
public void logout() {
if (l != null) {
try {
} catch (LoginException e) {

public static void main(String[] args) throws Exception {
Test t = new Test();
String username = "test";
String password = "test";

Subject subj = t.login(username, password.toCharArray());
if (subj != null) {
Iterator i = subj.getPrincipals(HibernatePrincipal.class).iterator();
while (i.hasNext()) {
HibernatePrincipal p = (HibernatePrincipal) i.next();
System.out.println("logged in as: " + p.getName());
else {
System.out.println("unable to log in as user");
