j_security_check 和 JAAS
我的任务是实现登录处理程序。 处理程序捕获的唯一详细信息是用户名和密码。 最初我打算使用发布到 servlet 的 JSP。 servlet 执行数据库查找并验证用户凭据。 成功登录后,您将被重定向,但如果登录失败,您将返回到 jsp 并显示相应的错误消息。
然而,在做了一些研究后,我发现了 j_security_check 和 JAAS,并且不确定使用哪个或是否根本不使用。
我可以从其中获得什么好处,哪一个最适合我的任务? ?
I have been given the task of implementing a login handler. The only detail the handler captures is username and password. Initially I was going to use a JSP that posted to a servlet. Where the servlet carried out a db lookup and also validated the user credentials. Upon successful login you are redirected but unsuccessful takes you back to the jsp and displays appropriate error messages.
However upon doing some research I discovered j_security_check and JAAS and am not sure which to use or whether to at all.
What benefits will I get from either and which would be most suitable from my task? ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
安全性由以下几个方面组成:
验证: - 这包括检查用户的凭据; 大多数时候这是通过登录机制实现的。 创建登录页面的任务是身份验证的一部分。
授权: - 需要保护应用程序资源免受未经授权的访问,这意味着当用户请求受保护的资源时,应用程序需要确保用户具有适当的访问权限。 这通常是通过为用户分配角色并放置验证用户访问权限的请求过滤器来完成的。 这部分比较关键,需要详细的设计分析。 仅对用户进行身份验证是不够的,您需要确保未经授权的用户不会访问受保护的资源。
传输层安全: - 系统架构需要确保通过网络传输的数据不会落入黑客或嗅探者手中。 SSL/TSL 用于实现此
J2EE 容器和框架(如 Spring security)为每个安全方面提供通用功能。
您正在尝试开发的是简单的身份验证机制。 当涉及到访问控制(即授权)时,应用程序安全性的要求更高。
此外,安全性还需要可扩展,即随着集成系统和安全性的业务需求发生变化,您的系统应该能够适应单点登录 (SSO)、LDAP 身份验证等。
虽然 JAAS 和容器安全性足以进行扩展,但很少有限制与此相同。 例如,您需要依赖于供应商特定的配置和适配器。 您的应用程序将在部署描述符中声明安全需求,并且服务器管理员需要在服务器端配置安全领域。
我建议您评估 Spring Security(以前的 Acegi Security)框架。 我们在许多项目中都使用了同样的方法,并发现它非常强大、可定制且易于实施。 它带有一组过滤器,可以拦截您的请求并提供访问控制。 框架可用于根据各种用户存储库(例如数据库、LADP 服务器、操作系统安全性等)验证用户。它是可扩展的,并且可以与 SSO 服务器集成。 它还提供有用的标记库来控制对 JSP 页面内部件的访问。
不仅如此,该框架还提供了可以通过 Spring AOP 框架在类级别实施的方法级别安全性
Security is composed of following aspects:
Authentication: - this consists of checking the credentials of the user; most of the times this is implemented through login mechanism. Your task of creating login page is part of authentication.
Authorization: - application resources need to be protected from unauthorized access that means when ever user requests for protected resource, application need to ensure that user has appropriate access rights. This is generally done by assign roles to the user and putting request filters that verify the access rights of the user. This part is more critical and requires detailed design analysis. Just authenticating user is not enough, you need to ensure that protected resources are not accessed by those users who are not authorized for the same.
Transport layer security: - system architecture need to ensure that data being transfered over the network doesnot fall into hands of hackers or sniffers. SSL/TSL is used for achieving this
J2EE containers and frameworks like Spring security provide common functionalities for each of the security aspect.
What you are trying to develop is simple authentication mechanism. Application security is more demandind when it comes to access control i.e. authorization.
Also security need to scalable i.e. as business needs changes for integrating systems and security your system should be able to adapt to things like Single Sign On (SSO), LDAP authentication etc.
Though JAAS and container security is good enough for scaling but there are few restrictions with the same. For example you would need to depend on vendor specific configurations and adapters. Your application would declare security needs in deployment descriptors and server administrators need to configure security realms at server end.
I would recommend you to evaluate Spring Security (previously Acegi Security) framework. We have been using the same in many of our projects and found it to be robust, customizable and easy to implement. It comes with set of filters that intercept your request and provide access control. Framework can be used to validate users against various user repositories such as database, LADP servers, OS Security etc. It is extensible and can be integrated with SSO servers. It also provides useful taglibraries for controlling access to parts within JSP pages.
Not only that this framework also provides method level security that can be imposed at class level through Spring AOP framework
您也可以查看 Spring Security 框架。
You may as well check out Spring Security framework.
JAAS 减轻了您的负担,并允许您(或客户端)只需放入另一个模块即可更改身份验证方法。 例如,从数据库身份验证到 LDAP、Kerberos 到 NT 域 - 您明白了。
JAAS takes the load off you and allows you (or the client) to change authentication methods just by dropping in another module. For example from DB auth to LDAP to Kerberos to NT Domain - you get the point.
使用容器提供的内容,而不是实现数据库查找来执行此操作。 当容器知道谁登录时,您可以使用角色来限制对某些页面的访问。 还有不同类型的身份验证。
使用 JAAS将使您可以灵活地使用其他方式验证密码(例如在活动目录中)。 还可以通过此实现单点登录。
Use what you container provides and don't implement your database lookup to do this. When the container knows who is logged in, you can use the roles to restrict access to certain pages. There are also different types of authentication.
Using JAAS will give you the flexibility to use another way of verifying the password (for example in active directory). Also single-sign-on could be implemented with this.
除非您正在做真正真正敏感的事情,否则更简单的方法就足够了。 只需记住最重要(也是最简单)的一点:在数据库中保存密码散列,而不是真正的密码。
The simpler method should suffice unless you are doing really really sensitive stuff. Just remember the most important (and simple) bit: keep a password hash in the database, not the real password.