Grails如何处理安全性,为什么我应该使用插件? [英] How does Grails handle security, and why should I use a plugin?
问题描述
对于简单的我是用户,因此我有权查看/编辑我自己的域对象我开发的应用程序,我将我的用户对象存储在一个会话中。但是,这让我想到了Grails如何在自己的实现中支持J2EE安全性和会话(它 在cookie中使用临时会话ID,对吗?)。此外,它是多么脆弱的攻击,如cookie注入和跨站点/流浪的JS?
我不想真正投入时间学习,整合和维护一个可能不需要它的应用程序的插件,所以我的问题是,对于简单的应用程序,Grails的会话实现是否足够安全,并且是否有一个非常好的理由,即使对于这些简单的任务,我也应该使用安全性插件?
另一方面,如果任何人都可以指向我一个很好的OpenID / Facebook登录实现,那就太棒了。
原因我应该使用一个安全插件,即使这些琐碎的任务吗?
...在基本层面上,使用插件也很简单,那么会有什么损失呢? 截屏视频让您开始使用
For 90% of every security-related Grails tutorial, they tell you to store your User objects in a session-scoped variable. That's all nice and easy, but I wonder if it's too good to be true, especially with plugins like Spring Security that offer many times more features.
For the simple, "I am a user and therefore I am entitled to view/edit my own domain objects" applications that I develop, I store my User objects in a session. However, this got me thinking how Grails supports J2EE security and sessions in its own implementation (it does use a temporary session ID in the cookie, right?). Furthermore how vulnerable is it to attacks like cookie injection and cross-site/stray JS?
I don't want to actually invest the time in learning, integrating, and maintaining a plugin for an app that might not need it, so my question is, is Grails's session implementation secure enough for simple applications, and is there a very good reason I should use a security plugin even for these trivial tasks?
On a side-note, if anyone can point me to a good OpenID/Facebook login implementation, that would be terrific.
reason I should use a security plugin even for these trivial tasks?
... on a basic level it's also trivial to use the plugin so what's there to lose? Screencast to get you started
这篇关于Grails如何处理安全性,为什么我应该使用插件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!