如何整合基础的认证angularjs和java JAAS？ [英] how to integrate angularjs and java jaas based authentication?

问题描述

我有这对前端和Java的支持angularJS web应用程序。角通过WebServices的宁静和消耗通过HTTP发送JSON的Java后端通信。我需要建立为这个应用程序的认证机制，并想知道怎么会是最好的方法，我目前使用基于JAAS认证（JDBC用户表）。这是我的应用程序是如何配置的：

I have a webapp which has angularJS on the frontend and Java on the backed. Angular communicates with the java backend via Restful webservices consuming and sending JSON across HTTP. I need to build the authentication mechanism for this app and was wondering how would be the best approach, currently I'm using JAAS based authentication (JDBC user table). This is how my app is configured:

我的web.xml配置有：

My web.xml configuration has:

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>userauth</realm-name>
        <form-login-config>
            <form-login-page>/login.html</form-login-page>
            <form-error-page>/loginError.html</form-error-page>
        </form-login-config>                
    </login-config>

    <security-constraint>   
        <display-name>ConstraintSSL</display-name>
        <web-resource-collection>
            <web-resource-name>protected</web-resource-name>
            <description/>
            <url-pattern>/checkout/*</url-pattern>
            <url-pattern>/login/*</url-pattern>
            <url-pattern>/login.*</url-pattern>
            <url-pattern>/account/*</url-pattern>
            <url-pattern>/ad/create</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>

        <user-data-constraint>        
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>        
    </security-constraint>

    <security-constraint>   
        <display-name>ConstraintUser</display-name>
        <web-resource-collection>
            <web-resource-name>user</web-resource-name>
            <description/>
            <url-pattern>/account/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>       
            <description/>
            <role-name>ADMINISTRATORS</role-name>
            <role-name>USERS</role-name>
        </auth-constraint>

        <user-data-constraint>        
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>        
    </security-constraint>

    <security-role>
        <description/>
        <role-name>USERS</role-name>
    </security-role>
    <security-role>
        <description/>
        <role-name>ADMINISTRATORS</role-name>
    </security-role>

  <session-config>
    <session-timeout>30</session-timeout>
    <tracking-mode>COOKIE</tracking-mode>
  </session-config>

   <welcome-file-list>
    <welcome-file>init.html</welcome-file>
   </welcome-file-list>

init.html只重定向到它加载角一个index.html页面，并开始实际应用。

init.html only redirects to a index.html page which loads angular and starts the actual app.

现在，这里是我UserController中用于处理在客户端（浏览器）用户相关的活动：

Now here is my UserController which handles user related activities on the client side (browser):

myControllers.controller('UserController', ['$scope', '$routeParams', 'UserService',
  function($scope, $routeParams, UserService) {
    $scope.logged = false;

    // if User is not detected by cookie
    $scope.user = fetchUserFromCookie();

    if (! $scope.user) {

        // set default guest user
        $scope.user = {         
            firstName : 'guest',
            lastName : 'user',
            preferredCurrency : "USD$",
            sessionHash: "XXXXXX",
            shoppingCart : {
                totalItems : 0,
                total : 0
            }           
        };      

    }

    $scope.login = function(userName, pass) {
          $scope.user = UserService.login(userName, pass);            
          $scope.logged = true;      
    };

    $scope.logout = function(userName) {
          $scope.user = UserService.logout(userName); // warn server side you're logging out
          $scope.logged = false;
          $scope.user = null;
    };

  }]);

我的目标是提供一个登录页面与JAAS基于JDBC的认证，并只允许有一个专用的管理角色或用户角色看到某个页面，如何在基于angularJS +的Java应用程序实现这一目标的用户？

My goal is to provide a login page with JAAS based JDBC authentication, and to allow only those user which has a specific ADMIN role or USER role to see a certain page, how to achieve this in a angularJS + Java based app ?

• 我的主要问题是与会话跟踪，

• my main concerns are with session tracking,

如何跟踪特定用户授予访问权限，并有权更改一个特定的记录？

how to track that a specific user has granted access and has permissions to change a specific record ?

如何prevent手动黑客喜欢手动更改JS code或以劫持用户会话改变一个Cookie？

how to prevent manual hacks like manually changing JS code or changing a Cookie in order to hijack a user session ?

推荐答案

• index.html页面应该包含令牌里面的html避免CSRF


• 令牌不应被存储在cookie存储


• 每个请求应与头参数
签署

• 服务器应该通过验证头每次请求


• 如果Cookie的使用是必须的，你应该为了验证引用者为prevent CSRF

这篇关于如何整合基础的认证angularjs和java JAAS？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！