glassfish 的基本身份验证失败


首先,我对这篇长文表示歉意。这是我之前问题的延续(7u21更新后弹出需要验证的窗口)关于这个问题,但我缩小了搜索范围。简而言之,自 Java 7u21 以来,我的 BASIC 身份验证似乎已被破坏。

通过 JNLP 文件启动的小程序根本无法稳定运行,并会弹出身份验证窗口。



  • 表:身份验证

enter image description here

  • 表:组

enter image description here

接下来我设置了一个jdbc领域在玻璃鱼中。请注意,数据库用户和数据库密码字段为空,因为我使用 JNDI(请参阅下文):

Glassfish 领域设置:

enter image description here


<jdbc-connection-pool connection-validation-method="auto-commit" datasource-classname="com.mysql.jdbc.jdbc2.optional.MysqlDataSource" wrap-jdbc-objects="false" res-type="javax.sql.DataSource" name="mysql_mit_rohhPool">
  <property name="URL" value="jdbc:mysql://localhost:3306/mit?zeroDateTimeBehavior=convertToNull"></property>
  <property name="driverClass" value="com.mysql.jdbc.Driver"></property>
  <property name="Password" value="****"></property>
  <property name="portNumber" value="3306"></property>
  <property name="databaseName" value="mit"></property>
  <property name="User" value="****"></property>
  <property name="serverName" value="localhost"></property>
<jdbc-resource pool-name="mysql_mit_rohhPool" jndi-name="jdbc/DB_MIT"></jdbc-resource>


enter image description here


毕竟,为了进行测试,我在 Netbeans 中创建了一个简单的 WebService,它从数据库中获取一些国家/地区并配置了web.xml对于 BASIC 身份验证:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="" xmlns:xsi="" xsi:schemaLocation="">
        <description>Multiple packages, separated by semicolon(;), can be specified in param-value</description>
    <display-name>Basic Protection</display-name>

为了测试 Web 服务,我在 NetBeans 中右键单击它,然后单击测试 RESTful Web 服务。将打开一个新的 Internet Explorer 窗口并显示登录屏幕,我输入dummy用户和一切正常。

接下来,我创建一个简单的 JavaFX FXML 项目来获取国家/地区。我有一个班级(使用泽西岛),看起来像下面这样。这是由 Netbeans 7.3 生成的代码:

private WebResource webResource;
private Client client;
private static final String BASE_URI = "http://localhost:8080/myWS/webresources";

public CountriesClient() {
    com.sun.jersey.api.client.config.ClientConfig config = new com.sun.jersey.api.client.config.DefaultClientConfig();
    client = Client.create(config);
    webResource = client.resource(BASE_URI).path("entities.countries");

public void close() {

public void setUsernamePassword(String username, String password) {
    client.addFilter(new com.sun.jersey.api.client.filter.HTTPBasicAuthFilter(username, password));

public <T> T findAll_XML(Class<T> responseType) throws UniformInterfaceException {
    WebResource resource = webResource;
    return resource.accept(;

在我的 FXML 控制器文件中,我将此方法链接到一个按钮:

private void handleButtonAction(ActionEvent event) {
    System.out.println("You clicked me!");

    CountriesClient c = new CountriesClient();
    c.setUsernamePassword("dummy", "****");
    String r = c.findAll_XML(String.class);

这就是我的项目的设置。现在,当我在 Netbeans 中测试它或通过 *.jar 文件启动它时,一切都按预期工作,并给出以下输出:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><countriess><countries><country>Belgium</country><id>1</id></countries><countries><country>Ireland</country><id>2</id></countries><countries><country>United Kingdom</country><id>3</id></countries><countries><country>Poland</country><id>4</id></countries></countriess>

然而,一旦我通过 *.jnlp 文件启动小程序,我就会收到这个恼人的弹出窗口,抱怨凭据:

enter image description here


network: Cache entry found [url: http://localhost:8080/myWS/webresources/entities.countries, version: null] prevalidated=false/0
cache: Adding MemoryCache entry: http://localhost:8080/myWS/webresources/entities.countries
cache: Resource http://localhost:8080/myWS/webresources/entities.countries has expired.
cache: Resource http://localhost:8080/myWS/webresources/entities.countries has cache control: no-cache.
network: Connecting http://localhost:8080/myWS/webresources/entities.countries with proxy=DIRECT
network: Connecting socket://localhost:8080 with proxy=DIRECT
network: Firewall authentication: site=localhost/, protocol=http, prompt=jdbcRealm, scheme=basic
network: ResponseCode for http://localhost:8080/myWS/webresources/entities.countries : 401
network: Encoding for http://localhost:8080/myWS/webresources/entities.countries : null
network: Connecting http://localhost:8080/myWS/webresources/entities.countries with proxy=DIRECT
basic: JNLP2ClassLoader.findClass: com.sun.jersey.core.header.InBoundHeaders: try again ..
basic: JNLP2ClassLoader.findClass: com.sun.jersey.core.util.StringKeyStringValueIgnoreCaseMultivaluedMap: try again ..
network: Downloading resource: http://localhost:8080/myWS/webresources/entities.countries
Content-Length: 322
Content-Encoding: null
network: Wrote URL http://localhost:8080/myWS/webresources/entities.countries to File C:\Users\stbrunee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4b456206-236d2196-temp
cache: MemoryCache replacing http://localhost:8080/myWS/webresources/entities.countries (refcnt=0). Was: URL: http://localhost:8080/myWS/webresources/entities.countries | C:\Users\stbrunee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4b456206-15cb0b99.idx Now: URL: http://localhost:8080/myWS/webresources/entities.countries | C:\Users\stbrunee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4b456206-236d2196.idx
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><countriess><countries><country>Belgium</country><id>1</id></countries><countries><country>Ireland</country><id>2</id></countries><countries><country>United Kingdom</country><id>3</id></countries><countries><country>Poland</country><id>4</id></countries></countriess>

在服务器端(glassfish 日志)

FINE: [Web-Security] Policy Context ID was: myWS/myWS
FINE: [Web-Security] hasUserDataPermission perm: ("" "/webresources/entities.countries" "GET")
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: myWS/myWS
FINE: [Web-Security] Codesource with Web URL: file:/myWS/myWS
FINE: [Web-Security] Checking Web Permission with Principals : null
FINE: [Web-Security] Web Permission = ("" "/webresources/entities.countries" "GET")
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (myWS/myWS)- result was(false) permission (("" "/webresources/entities.countries" "GET"))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: ("" "/webresources/entities.countries" "GET")
FINE: [Web-Security] Policy Context ID was: myWS/myWS
FINE: [Web-Security] hasUserDataPermission perm: ("" "/webresources/entities.countries" "HEAD")
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: myWS/myWS
FINE: [Web-Security] Codesource with Web URL: file:/myWS/myWS
FINE: [Web-Security] Checking Web Permission with Principals : null
FINE: [Web-Security] Web Permission = ("" "/webresources/entities.countries" "HEAD")
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (myWS/myWS)- result was(false) permission (("" "/webresources/entities.countries" "HEAD"))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: ("" "/webresources/entities.countries" "HEAD")
FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = myWS/myWS
FINE: [Web-Security] hasUserDataPermission perm: ("" "/webresources/entities.countries" "GET")
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: myWS/myWS
FINE: [Web-Security] Codesource with Web URL: file:/myWS/myWS
FINE: [Web-Security] Checking Web Permission with Principals : null
FINE: [Web-Security] Web Permission = ("" "/webresources/entities.countries" "GET")
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (myWS/myWS)- result was(false) permission (("" "/webresources/entities.countries" "GET"))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: ("" "/webresources/entities.countries" "GET")
FINEST: Processing login with credentials of type: class
FINE: Logging in user [dummy] into realm: jdbcRealm using JAAS module: jdbcRealm
FINE: Login module initialized: class
FINEST: JDBC login succeeded for: dummy groups:[dummy]
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : dummy
FINE: Set security context as user: dummy
FINE: [Web-Security] Policy Context ID was: myWS/myWS
FINE: [Web-Security] Codesource with Web URL: file:/myWS/myWS
FINE: [Web-Security] Checking Web Permission with Principals : dummy, dummy
FINE: [Web-Security] Web Permission = ("" "/webresources/entities.countries" "GET")
FINE: [Web-Security] hasResource isGranted: true
FINE: [Web-Security] hasResource perm: ("" "/webresources/entities.countries" "GET")


  • 在客户端,我看到 401 响应代码,这意味着未授权。如果我使用与测试 Web 服务完全相同的凭据,怎么会出现这种情况?
  • 在客户端,如果我在身份验证弹出窗口上按“取消”,如果用户未经过正确身份验证,为什么我仍然会收到请求中的 XML 数据?
  • 在服务器端,仍然正在发生身份验证过程。这是否与它是用 Java 编码有关?但同样,如果身份验证过程确实成功,为什么身份验证弹出窗口会显示在客户端?

您遇到的症状的原因是 Oracle 有在 Web Start 中使用 JDK7 默认启用 HTTP 响应缓存:

默认启用缓存:缓存应用程序的网络内容 现在默认启用在 Web Start 模式下运行的代码。这允许 应用程序提高了小程序执行的性能和一致性 模式。为了确保使用最新的内容副本,应用程序 可以使用URLConnection.setUseCaches(false)或请求头Cache-Control values no-cache/no-store.

所以我所做的是,在创建 Jersey 客户端后设置此标头:

Client client = Client.create();
client.addFilter( new HTTPBasicAuthFilter( userId, password ) );
client.addFilter( new ClientFilter() {

    public ClientResponse handle( ClientRequest cr )
       throws ClientHandlerException {
           List<Object> cacheControlRequestValues = new ArrayList<Object>();
           cacheControlRequestValues.add( "no-cache" );
           cacheControlRequestValues.add( "no-store" );
           cr.getHeaders().put( HttpHeaders.CACHE_CONTROL, cacheControlRequestValues );
           return getNext().handle( cr );

现在,如果上述规范正确,并且 Web Start 的实现将遵循HTTP/1.1 参考,其中指出

no-store 指令的目的是防止无意的 释放或保留敏感信息(例如,在备份时) 磁带)。 no-store 指令适用于整个消息,并且可以 在响应或请求中发送。如果在请求中发送,则 缓存不得存储此请求或任何响应的任何部分 到它。

我们会没事的 - 网络嗅探器证明客户端正确设置了 Cache-Control 标头。泽西岛的 ContainerResponseFilter 还向我展示了request设置正确。这response另一方面没有设置 Cache-Control 标头。根据规范,应该没有关系,但实际上 Web Start 一直在缓存响应!

因此,我编写了一个 ContainerResponseFilter,它将 Cache-Control 标头从请求复制到响应:

import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerResponse;
import com.sun.jersey.spi.container.ContainerResponseFilter;

import java.util.ArrayList;
import java.util.List;

public class CacheControlCopyFilter
    implements ContainerResponseFilter 

    public ContainerResponse filter( ContainerRequest containerRequest, ContainerResponse containerResponse ) {
        if ( containerRequest.getRequestHeader( HttpHeaders.CACHE_CONTROL ) != null ) {
            List<Object> responseCacheControlValues = new ArrayList<Object>( containerRequest.getRequestHeader( HttpHeaders.CACHE_CONTROL ).size() );
            for ( String value : containerRequest.getRequestHeader( HttpHeaders.CACHE_CONTROL ) ) {
                responseCacheControlValues.add( value );
            containerResponse.getHttpHeaders().put( HttpHeaders.CACHE_CONTROL, responseCacheControlValues );
        return containerResponse;




然后你必须删除你的 Java 客户端缓存:

"javaws -viewer" -> General
                 -> Settings...
                 -> Delete Files...
                 -> Select all three check boxes
                 -> OK



    首先 我对这篇长文表示歉意 这是我之前问题的延续 7u21更新后弹出需要验证的窗口 关于这个问题 但我缩小了搜索范围 简而言之 自 Java 7u21 以来 我的 BASIC 身份验证似乎已被破坏 通过 JNLP 文件启动的小程序根本无法稳