bindInterceptor 与过滤器的 guice 安全性?
我有一个简单的用例,我想在会话开始时获取会话变量,并仅允许根据结果访问某些页面。我不太清楚是否最好使用 bindInterceptor 来拦截任何页面上的任何 @Get 或 @Post 方法,或者最好使用过滤器。以下是我想做的事情的草图,但我对替代方案持开放态度:
At the start of a new session (@SessionScoped ?), check a session variable authentication token
If (authentication == admin) {
serveRegex("admin/(jsp|html)/.*").with(GuiceContainer.class); //only allow /admin subpages
req.getRequestDispatcher("/admin").forward(req, res); //fwd all initial page requests to /admin
}
else If (authentication == user) {
serveRegex("user/(jsp|html)/.*").with(GuiceContainer.class); //only allow /user subpages
req.getRequestDispatcher("/user").forward(req, res); //fwd all initial page requests to /user
}
else {
serveRegex("signin/(jsp|html)/.*").with(GuiceContainer.class); //only allow /signin subpages
req.getRequestDispatcher("/signin").forward(req, res); //fwd all initial page requests to /signin
}
哪种技术是管理此安全模型的首选方法(最少的代码、最快的等)?我很想看看一个示例项目。
感谢您的帮助!
-约翰
I have a simple use case where I want to grab a session variable at the beginning of the session and only allow access to certain pages based on the result. I'm not real clear on is this best accomplished using bindInterceptor to intercept any @Get or @Post method on any page or is it better to use a filter. Here is a sketch of what I'd like to do but am open to alternatives:
At the start of a new session (@SessionScoped ?), check a session variable authentication token
If (authentication == admin) {
serveRegex("admin/(jsp|html)/.*").with(GuiceContainer.class); //only allow /admin subpages
req.getRequestDispatcher("/admin").forward(req, res); //fwd all initial page requests to /admin
}
else If (authentication == user) {
serveRegex("user/(jsp|html)/.*").with(GuiceContainer.class); //only allow /user subpages
req.getRequestDispatcher("/user").forward(req, res); //fwd all initial page requests to /user
}
else {
serveRegex("signin/(jsp|html)/.*").with(GuiceContainer.class); //only allow /signin subpages
req.getRequestDispatcher("/signin").forward(req, res); //fwd all initial page requests to /signin
}
Which technique is the preferred approach (least code, fastest, etc) for managing this security model? I'd love to see an example project.
Thanks for your help!
-John
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
执行此操作的常见方法是使用过滤器。鉴于您似乎为不同的所需权限隔离了 URI 空间,这也可能是最简单的方法。如果您希望在方法/类上声明身份验证逻辑(“
@AdminRequired”等),bindInterceptor 样式很有用,但实际上没有充分的理由这样做 - 隔离 URI 空间更容易。只需绑定一个 Filter 来获取当前用户/授权逻辑并检查权限是否与请求将要到达的 URI 匹配。
例如
,请注意,您必须将 ServletRequest/Response 向下转换为 HttpServletRequest/Response。
The common way of doing this is using a Filter. Given that you seem to segregate your URI space for the different required permissions, that's also probably the easiest way. A bindInterceptor style is useful if you want the authentication logic declared on the methods/classes ("
@AdminRequired" or such), but there's really no good reason to do that - segregating the URI space is easier.Just bind a Filter that gets the current user/authorization logic and checks whether the permissions match the URI the request is going to.
E.g.
Note that you'll have to down-cast the ServletRequest/Response to HttpServletRequest/Response.