如何在Web应用程序中实现HTTPS登录页面？ [英] How to implement a HTTPS login page in a web application?

问题描述

我想创建一个安全的登录/注销机制。我开始阅读以下文章以了解需要考虑的事项：

I want to create a secure login/logout mechanism. I started reading the following articles to get an idea of things to take into account:

• 正确优雅地解决退出问题


• 重新审核退出问题

• Solving the Logout Problem Properly and Elegantly
• Revisiting the logout problem

这些文章提出了一些好处，但我正在考虑以与Yahoo邮件登录页面类似的方式使用HTTPS。您知道...您输入 http://mail.yahoo.com ，然后您将被重定向到HTTPS页面** https：//**login.yahoo.com/config/login您插入用户名和密码，验证凭据后，您将被重定向回具有生成的 session_id的HTTP页面 cookie和来自那里的所有通信都在使用cookie的HTTP上。

These articles make some good points, but I was thinking in using HTTPS in a similar way as the Yahoo mail login page. You know... you type http://mail.yahoo.com and you are redirected to a HTTPS page like **https://**login.yahoo.com/config/login where you insert your username and password and after your credentials are verified you are redirected back to a HTTP page with a generated session_id cookie and all communications from there on are on HTTP using the cookie.

我需要什么来实现这种行为？

What do I need to implement this behavior?

我想为两个Java Web应用程序（一个使用Spring框架，一个使用Struts 1）执行此操作，但不知道如何将该HTTPS部分集成到应用程序（我之前从未使用过HTTPS）。

I want to do this for two Java web apps (one with Spring framework and one with Struts 1) but don’t know exactly how to integrate that HTTPS part into the application (I have never worked with HTTPS before).

推荐答案

首先，您需要为服务器启用SSL。对于Tomcat，您需要生成一个openSSL密钥库并将以下连接器添加到server.xml：

First of all you need to enable SSL for your server. For Tomcat you need to generate an openSSL keystore and add the following connector to server.xml:

<Connector port="8443" scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="mykeystore" sslProtocol="TLS"
   keystorePass="keystore password" />

要将SSL集成到您的应用程序中，我建议使用Spring Security。它提供您想要的（通过HTTPS登录，然后重定向到HTTP）。您需要做的就是将forceHTTPS设置为true：

To integrate SSL into your application I recommend Spring Security. It offers exactly what you want (login over HTTPS, then redirected to HTTP). All you have to do to implement it, is to set forceHTTPS to true:

<bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
  <property name="loginFormUrl" value="/pages/login.jsp" />
  <property name="forceHttps" value="true"/>
</bean>

当然，春季和春季安全确实有一个相当陡峭的学习曲线，但它是完全值得的。做一次，然后你可以在不到一个小时的时间内将它应用到新的应用程序。您可以在Spring和Struts应用程序中使用Spring Security。

Of course Spring and Spring security do have a rather steep learning curve, but it is totally worth it. Do it once and then you can apply it to new apps in less than an hour. You can use Spring Security in both the Spring and Struts application.

Spring安全性曾经是Acegi安全性。这是文章，会让你开始。

Spring security used to be Acegi security. This is an article that will get you started.

这篇关于如何在Web应用程序中实现HTTPS登录页面？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！