Java安全框架
我对 Java 平台有点陌生。我需要为桌面应用程序和 Web 应用程序使用一些 Java 安全框架。现在我需要知道,对于桌面应用程序(假设是 Java SE 或 Java EE)和 Web 应用程序(假设是 JSP)我应该学习哪些框架?
I'm kind of new to Java platform. I need to work with some security frameworks of Java for both desktop application and web application. Now I need to know, which frameworks should I study for desktop application (suppose for Java SE or Java EE) and for web application (suppose for JSP)?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我假设您正在创建一个总体安全架构,管理远程连接和整个系统的其他方面。桌面应用程序安全和 Web 安全将会有所不同,但仍然以自己的方式解决许多相同的问题。
其中包括的一些主题包括身份验证、授权和审计 (AAA)、传输中和静态数据安全、不可否认性、传输层安全、平台安全(例如管理平台权限)。
两个最常见的 Java 安全框架是 Spring Security 和 Apache Shiro。这两个都解决了上述许多主题,但它们都是框架 - 这意味着您需要定义安全架构和策略,然后将框架配置/扩展到您的特定域。
Bouncy Castle 提供了一系列现成的加密技术,包括兼容的 Java 加密扩展 (JCE) - 它也符合 FIPS 140-2 标准,但未经认证。销售经过认证的解决方案的游戏/行业完全是另一个游戏/行业。
下面是一个示例 - 假设您的桌面应用程序将使用带有 X.509 证书的智能卡来获取访问权限并与 Web 应用程序交互。在这种情况下,您需要对智能卡执行大量安全操作 - PIN、加密等。然后您可能需要在服务器端使用客户端证书,并在服务器端使用 X.509 身份验证提供程序。您甚至可以根据证书中提供的专有名称进行一些授权例程。您将在上述安全框架中找到信任存储访问、身份验证提供程序、基于角色的访问控制等 - 但您必须将这些部分组合在一起。
您可能还想查看 @ OWASP 了解网络安全指南:https://www.owasp。 org/index.php/Main_Page
如果您负责提供安全解决方案并且您开始研究框架,我应该提醒您,安全专家/分析师之间存在知识共享差距和软件开发人员——即告诉您如何利用这些弱点的人通常不是告诉您如何配置 Spring Security 或使用 JCE API 的人。
一个不错的缓解策略是查看一些“安全包装器”解决方案,这些解决方案本质上是创建小型飞地,并在飞地中提供强化/安全的入口点。此类产品的一个示例是 Layer-7,它通常用作 Web 服务安全网关。
狩猎快乐!
I assume you are creating an overarching security architecture, governing remote connections and other aspects of the overall system. The desktop application security and web security are going to be different, but still solve a lot of the same problems in their own way.
Just some of the topics to include will be Authentication, Authorization, and Auditing (AAA), data security in-ransit and at rest, non-repudiation, transport layer security, platform security (e.g. managing platform priviledges).
The two most common Java security frameworks are Spring Security and Apache Shiro. Both of these address a number of topics above, but they are frameworks - meaning you need to define the security architecture and policies, and then configure/extend the frameworks into your specific domain.
Bouncy Castle provides a bunch of off the shelf crypto, including being a compliant Java Cryptography Extension (JCE) - it is also FIPS 140-2 compliant, but not certified. There is a whole another game/industry on those selling the certified solutions.
Here is an example - let's say that your desktop application is going to use a Smart card with an X.509 certificate to gain access and interact with the web application. In that case, you have a bunch of security things to do with the smart card - PINs, encryption, etc. You then may want to use the client certificate on the server side, and an X.509 authentication provider on the server side. You may even then have some authorization routines based on the Distinguished Name provided in the certificate. You will find trust store access, authentication providers, role based access control and the like within the above security frameworks - but you have to put the pieces together.
You may also want to take a look @ OWASP for web security guidelines: https://www.owasp.org/index.php/Main_Page
If you are responsible for providing the security solution and you're starting with looking at the frameworks, I should give you a heads up that there is a knowledge sharing gap between security experts/analysts and software developers -- i.e. the people who tell you about how to exploit the weaknesses are usually not the same people who tell you how to configure the Spring Security or use the JCE API.
A decent mitigation strategy is to look at some of the "security wrapper" solutions, that essentially create small enclaves with hardened/secure entry points into the enclave. An example of a product like this would be Layer-7, which is commonly used as a web services security gateway.
Happy hunting!
有几个可用的框架:
如果您构建webapplication 与 Spring 一起我建议查看 Spring Security 套件,因为它完美地集成到其他 Spring 环境中。 JBoss Seam 还有一些有趣的方法。
还有一些相关的 stackoverflow 链接:
当然:
There are several frameworks available:
If you build a webapplication together with Spring I would recommend to look at the Spring Security suite as it perfectly integrates into the other Spring environment. Also JBoss Seam has some interesting approaches.
Also some related stackoverflow links:
And of course: