当前位置: 动力学知识库 > 问答 > 编程问答 >

java ee 6 - "Remember me" and Servlet 3.0 request.login()

问题描述:

I am using HttpServletRequest.login() method provided by servlet 3.0 in a Java EE-container (jdbc-realm) and all works fine.

According to this [Java EE 6: How to implement "Stay Logged In" when user login in to the web application, I have implemented a remember-me-method.

However I stuck with the following in the filter-class:

if (user != null) {

request.login(user.getUsername(), user.getPassword());

request.getSession().setAttribute("user", user); // Login.

addCookie(response, COOKIE_NAME, uuid, COOKIE_AGE); // Extends age.

}.

I have a jdbc-realm with encrypted pw, how can I make the container-managed-authentication via rememberMe? user.getPassword() needs the clear (unhashed) pw which I cannot know! I do not want to store clear passwords in the db.

网友答案:

If the ready-use login module that you use only accepts the clear (unhashed) password, then you probably would need to modify it, and then install that modified version.

Your existing JDBC-realm most likely has a vendor specific login module, but Java EE 6 does have a standardized dedicated API for building login modules (auth modules), which is called JASPIC. See this article for some background.

Incidentally for a OmniFaces sub-project called OmniSecurity we have been prototyping a JASPIC auth module which also supports remember me. It's open source so you could use it for inspiration.

分享给朋友:
您可能感兴趣的文章:
随机阅读: