我将回答这个问题。
我使用了一个过滤器和一个自定义的JBoss LoginModule来解决集成问题:
该过滤器(必须在调用shiro过滤器之后应用):
public class ShiroJAASIntegrationFilter implements Filter{
static Logger logger = Logger.getLogger(ShiroJAASIntegrationFilter.class);
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain arg2) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest)arg0;
Principal userPrincipal = httpServletRequest.getUserPrincipal();
HttpSession session = httpServletRequest.getSession(false);
if(userPrincipal!=null){
if(session!= null && session.getAttribute("shiroAuthenticated")==null){
String name = userPrincipal.getName();
try {
httpServletRequest.login(name,"");
session.setAttribute("shiroAuthenticated",true);
} catch (ServletException e) {
logger.debug("Unable to authenticate user" + e.getMessage());
}
}
}
arg2.doFilter(arg0, arg1);
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
登录模块仅将用户标记为已验证:
public class ShiroJAASLoginModule extends UsernamePasswordLoginModule {
protected boolean validatePassword(String inputPassword,
String expectedPassword) {
return true;
}
protected Group[] getRoleSets() throws LoginException {
Group[] roleSets = { new SimpleGroup("Roles") };
roleSets[0].addMember(new SimplePrincipal(getUsername()));
return roleSets;
}
@Override
protected String getUsersPassword() throws LoginException {
return null;
}
}
该模块必须在 standalone.xml 中定义:
<security-domain name="shiro" cache-type="default">
<authentication>
<login-module code="web.security.shiroJaasIntegration.ShiroJAASLoginModule" flag="required"/>
</authentication>
</security-domain>
最后,在您的应用程序 jboss-web.xml 中定义安全域:
<jboss-web>
<security-domain>shiro</security-domain>
</jboss-web>