哪里JSESSIONID存储? (JavaEE的) [英] Where is JSESSIONID stored? (JavaEE)
问题描述
我有两个应用程序 - 一个Java EE Web应用程序和Java SE小程序。我想通过JSESSIONID的装置(它是由Web应用程序创建的),以在该小程序验证用户。
I have two applications - A Java EE web application and a Java SE applet. I want to authenticate a user in the applet by means of a JSESSIONID (which is created by the web application).
因此,有一个问题 - 如何这个JSESSIONID与特定用户相关联
So there is a problem - how to associate this JSESSIONID with a particular user?
如何检查(在Web服务器应用端)的用户重新通过这种JSESSIONID psented $ P $?在applet我会从cookie读取它,然后我想写一个简单的servlet将接受这个JSESSIONID作为POST消息。此后,我想在响应没什么可写的都当JSESSIONID是坏的,并且用户信息,如果JSESSIONID好(即重新presenting某人)。
How to check (on the web server application side) which user is represented by such JSESSIONID? In the applet I will be reading it from a cookie, and then I want to write a simple Servlet which will accept this JSESSIONID as a POST message. Thereafter I would like to write in the response nothing at all when the JSESSIONID is bad, and the user info if JSESSIONID is good (i.e. is representing someone).
有谁知道如何做到这一点?
Does anyone know how to do this?
推荐答案
JSESSIONID 是通常不应该关心的低级别机制。在服务器端servlet容器透明地转换在servlet可用 JSESSIONID 到的HttpSession 对象。会话ID被传递到服务器中使用饼干头或URL重写。
JSESSIONID is a low-level mechanism that you typically shouldn't care about. On the server side the servlet container transparently translates JSESSIONID to an HttpSession object available in the servlet. The session id is passed to the server transparently as well using Cookie header or URL rewriting.
所以,如果你点击一个链接或在网页上发布的普通形式,浏览器会自动将 JSESSIONID 的cookie,或者连接到URL。
So if you are clicking on a link or posting an ordinary form in a webpage, the browser automatically passes JSESSIONID cookie or attaches it to URL.
您设计有一个重大缺陷:安全的servlet容器应该添加仅Http 属性 JSESSIONID 的cookie(参见:< A HREF =http://stackoverflow.com/questions/33412>如何配置的HttpOnly在tomcat的/ Java的web应用饼干?)这是prevent的JavaScript从读 JSESSIONID 饼干出于安全原因 - 就像劫持用户会话。您的小程序甚至不会看到饼干!
Your design has a major flaw: secure servlet containers should add HttpOnly attribute to JSESSIONID cookie (see: How do you configure HttpOnly cookies in tomcat / java webapps?) This is to prevent JavaScript from reading JSESSIONID cookie for security reasons - like hijacking user session. Your applet might not even see that cookie!
我不知道很多关于小程序 S,但我会建议你通过网络浏览器以某种方式使安全标识(饼干)是自动处理执行HTTP请求。
I don't know much about applets, but I would advice you to perform HTTP request via web browser somehow so the security identification (cookie) is handled automatically.
这篇关于哪里JSESSIONID存储? (JavaEE的)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
