问题描述:

I am using HttpServletRequest.login() method provided by servlet 3.0 in a Java EE-container (jdbc-realm) and all works fine.

According to this [Java EE 6: How to implement "Stay Logged In" when user login in to the web application, I have implemented a remember-me-method.

However I stuck with the following in the filter-class:

if (user != null) {

request.login(user.getUsername(), user.getPassword());

request.getSession().setAttribute("user", user); // Login.

addCookie(response, COOKIE_NAME, uuid, COOKIE_AGE); // Extends age.

}.

I have a jdbc-realm with encrypted pw, how can I make the container-managed-authentication via rememberMe? user.getPassword() needs the clear (unhashed) pw which I cannot know! I do not want to store clear passwords in the db.

网友答案:

If the ready-use login module that you use only accepts the clear (unhashed) password, then you probably would need to modify it, and then install that modified version.

Your existing JDBC-realm most likely has a vendor specific login module, but Java EE 6 does have a standardized dedicated API for building login modules (auth modules), which is called JASPIC. See this article for some background.

Incidentally for a OmniFaces sub-project called OmniSecurity we have been prototyping a JASPIC auth module which also supports remember me. It's open source so you could use it for inspiration.

相关阅读:
Top