在安全的HttpServer内容使用Tomcat应用程序 - 任何想法? [英] Secure content on HttpServer using a Tomcat Application - any ideas?
问题描述
我们已经在Tomcat Web应用程序。该应用程序访问来自Apache的专用内容HTTPServers(保密)。我们不希望未授权用户访问这些内容。即通过身份验证的Web应用程序的用户才(在Tomcat)都可以访问HttpServer的内容。
(我们使用的是HTTPS来保护网络,但如果有人得到直接的httpserver URL内容他们可能会下载内容)。
We have a Web Application on Tomcat. The App accesses content(confidential) from dedicated Apache HTTPServers. We do not want un-authorized users accessing this content. i.e. Only users authenticated through WebApp(on Tomcat) can access HttpServer content. (We are using HTTPS to secure the network, but if someone gets the direct httpserver url for content they may download content).
我们正在考虑主办端内容Tomcat上同一web应用。任何想法?
We are thinking of hosting content in side the same webapp on Tomcat. Any ideas?
推荐答案
最简单的/偷懒的方法做,这是执行上的每个HTTP推荐打了Apache服务器是Tomcat服务器的addrress。上一个页面: http://www.htaccess-guide.com/deny -visitors按引用/
The easy/lazy way to do this is to enforce that the HTTP Referrer on each hit to the Apache servers is the addrress of your Tomcat server. A page on that: http://www.htaccess-guide.com/deny-visitors-by-referrer/
然而,这是相当平凡的,如果他们找出这就是你的保护方案黑客恶搞的HTTP引用。
However, it's fairly trivial for a hacker to spoof the HTTP referrer if they figure out that's your protection scheme.
二更复杂,但安全的方法,在工作顺序:
Two more complicated but secure methods, in order of effort:
-
写JSP页面或验证用户登录Tomcat服务器上的东西,然后通过HTTP获取了Apache的数据,然后将数据输出返回给最终用户。你是这样做有效地编写自己的反向代理。然后有锁定到只会页到Tomcat服务器的IP地址(ES)Apache服务器(你希望允许任何其他authorzied /内部IP)。优点:仍然pretty快做。缺点:你使用Tomcat的资源来显示每个页面关闭其他服务器,它可以引入可扩展性问题,尤其是在Apache服务器的服务了大量的字节(例如,如果Apache提供了一个500兆的文件,将那排你的tomcat脚本的记忆是什么?这取决于你如何code和测试你的JSP页面!小心!)。如果页面是微小的,它可能不是一个问题。
Write a JSP page or something on the Tomcat server that verifies the user is logged in, then fetches the data off Apache by HTTP, and then outputs the data back to the end user. You are effectively writing your own reverse proxy by doing this. Then have the Apache server locked down to only serve pages to the Tomcat server's IP address(es) (and any other authorzied/internal IPs you wish to allow). Pros: still pretty quick to do. Cons: you're using tomcat resources to display each page off the other server, it can introduce scalability issues, especially if the apache servers serve up large numbers of bytes (for instance, if apache serves up a 500 meg file, will that exhaust your tomcat script's memory? That depends how well you code and test your JSP page! Beware!). If the pages are tiny, it's probably not an issue.
实施某种形式的单点登录在Apache和Tomcat之间。这可能是基于cookie什么的还是票友(如与后端认证服务器跟踪会话)。这样的Apache将知道用户请求https://开头页的正确认证和否则将拒绝该请求。优点:完全可扩展的。缺点:难以成立,许多解决方法那里是商业/付费产品
Implement some kind of Single Sign On between Apache and Tomcat. This could be cookie based or something fancier still (like with a backend authentication server tracking the sessions). In this way Apache would know that the user requesting the https:// page was properly authenticated and would deny the request otherwise. Pros: Completely scalable. Cons: harder to set up, many of the solutions out there are commercial/pay products.
这篇关于在安全的HttpServer内容使用Tomcat应用程序 - 任何想法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
