Web 应用程序的容器管理安全性
我对容器管理的安全性完全陌生,需要一些帮助来在我的 Web 应用程序中配置它。
我想限制对我的 Web 应用程序中的 jsp 的访问。这就是我在 web.xml 中配置安全性的方式
<security-constraint>
<display-name>PrivilegedConstraint</display-name>
<web-resource-collection>
<web-resource-name>JSP Files</web-resource-name>
<description>All the jsp files in the web application</description>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>PrivilegedRole</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>BasicRealm</realm-name>
</login-config>
<security-role>
<description>This is a privileged role. Has access to everything in the web app</description>
<role-name>PrivilegedRole</role-name>
</security-role>
我的问题是:
login-config 元素中领域名称的用途是什么? 在哪里配置用户名、密码并将用户映射到角色?
当我尝试访问 Web 应用程序中的 jsp 时,系统会要求我输入用户名和密码。我在那里给什么?那么这个安全机制是如何运作的呢?
我对安全性完全陌生,所以如果有人能给我指出一篇好文章,解释配置安全性的基础知识及其实际工作原理,我将不胜感激。
I am completely new to Container managed security and need some help with configuring it in my web application.
I want to restrict access to the jsp's within my web application. This is how i have configured security in my web.xml
<security-constraint>
<display-name>PrivilegedConstraint</display-name>
<web-resource-collection>
<web-resource-name>JSP Files</web-resource-name>
<description>All the jsp files in the web application</description>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>PrivilegedRole</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>BasicRealm</realm-name>
</login-config>
<security-role>
<description>This is a privileged role. Has access to everything in the web app</description>
<role-name>PrivilegedRole</role-name>
</security-role>
My questions are :
What is the purpose of realm-name in the login-config element?
Where do i configure the username, passwords and map the users to the roles?
When i try to access a jsp within my web application, i get asked for a username and password. What do i give there? And how does this security mechanism work?
I am completely new to security, so I will be grateful if someone can point me to a nice article which explains the basics of configuring security and how it actually works?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
来自 Java EE 6 教程:
当前 Servlet 3.0 规范 中定义的行为:
这是容器特定的。也就是说,每个服务器供应商可以自由定义如何定义用户/组以及如何配置此信息。通常有不止一种方法可以做到这一点。
用户和组通常在目录中定义。然后将服务器配置为使用此目录,管理员将在部署时映射应用程序角色。
开发者 Tomcat 测试服务器可能使用平面文件;生产WebSphere 服务器可能通过LDAP 连接到公司的Exchange 目录。
有关更多信息,请参阅您的服务器文档。
您可能会比遵循 Oracle Java EE 6 做得更糟糕 使用 Netbeans 和 Glassfish 的教程,但请注意特定于该供应商产品的步骤。
From the Java EE 6 tutorial:
The behaviour as defined thus in the current Servlet 3.0 spec:
This is container specific. That is, each server vendor is free to define how users/groups are defined and how this information is configured. There is usually more than one way to do this.
Users and groups are often defined in a directory. The server is then configured to use this directory and the administrator will map the application roles at deployment time.
A developer Tomcat test server might use a flat file; a production WebSphere server might hook into the company Exchange directory via LDAP.
Refer to your server documentation for more.
You could do worse than follow the Oracle Java EE 6 tutorial with Netbeans and Glassfish, but be aware of the steps that are specific to that vendor's products.