如何在JSF中执行安全性？ [英] How do I do security in JSF?

问题描述

我正在使用Java EE 6和所有参考实现。为某些页面设置了一些安全约束，例如 / secure / * 下的所有内容。这是粗糙的安全性。如果两个用户都具有相同的角色，但同一页面的某些内容应仅对用户John可见，那该怎么办？或者应该向John显示一个完全不同的页面？我有很多问题没有得到解答，所以如果有人可以提供一些链接/解释或书籍也很好。我需要更细粒度的安全控制。

I am using Java EE 6 with all reference implementations. Having made some security constraints for some pages such as everything beneath /secure/*. This is rough grained security. What if two users both have the same roles, but some content of the same page should only be visible to user "John" for example? Or a totally different page should be shown to "John"? I have many questions un-answered around this so it would be nice if somebody could provide some links/explanations or books that cover this as well. I need more fine grained security control.

推荐答案

您希望不仅存在的细粒度安全功能中，Oracle甚至有一个有用的博客文章覆盖详细受试者，完成示例代码。

The fine-grained security features you're hoping for not only exist, Oracle even has a useful blog post covering the subject in detail, complete with sample code.

因为简单地链接文档和运行对我来说简洁而不礼貌，接下来是关于如何将它们结合在一起的一些讨论据我所知。

And because it would be terse and impolite of me to simply link the docs and run, what follows is a bit of discussion on how this goes together to the best of my understanding.

声明性安全性的最大问题是它会强制您反复进行在设计时定义所有用户角色。由于以下两个原因，这非常不受欢迎：首先，它无法正确地将您的安全模型从您的实现中抽象出来（未能充分面向未来您的应用程序并打开信息泄露漏洞的大门），其次，它将您的用户角色束缚于您的应用程序的即时设计，通常无法提供良好的 - 在需要或必要时提供权限或 ACL 。

The biggest problem with declarative security is it forces you to iteratively define all of your user roles at design time. This is extremely undesirable for two reasons: first, it fails to properly abstract your security model away from your implementation (failing to adequately future-proof your application and opening the door to information disclosure vulnerabilities), and second, it tethers your user roles to the immediate design of your application, routinely failing to provide fine-grained permissions or ACLs when they're desired or necessary.

实际上，这是一个抽象不足的问题。您正在使用一个能够立即满足您当前需求的系统，但不会在应用程序的生命周期内使用您可以工作或维护的系统，因为角色变得更加复杂，代码库的复杂性也会不断增加。

In effect, this is a problem of insufficient abstraction. You're using a system that immediately meets your current needs, but not one that you can expect to be workable or maintainable over the life cycle of your application, as roles become more complex and the complexity of your code base steadily increases.

此处的一阶解决方案是使用允许您的抽象模型在每个JSF方法调用的上下文中独立定义用户角色，允许您根据需要交换它们。作为奖励，这允许您定义更细粒度的权限，因为这样的方案允许您定义权限每个方法而不是每个视图，每个端点或每个豆。如果角色改变了？您只需要在一个位置更新您的权限模型，而不是转到每个bean并交换其用户定义。

The first-order solution here is to use an abstraction model that allows you to define user roles independently in the context of each JSF method call, allowing you to swap them in or out as needed. As a bonus, this allows you to define finer-grained permissions, as such a scheme allows you to define your permissions per method instead of per view, per endpoint, or per bean. And if the roles change? You only need to update your permissions model in a single location, instead of going to each of those beans and swapping out their user definitions.

aforelinked文章进入更详细的比我愿意在这里介绍的，所以我强烈建议你阅读博客文章。但是，要做到这一点正确，你应该提供身份验证堆栈和详细说明权限角色的注释层，和twain只能满足你的需求明确而刻意地将两者联系起来。

The aforelinked article goes into far more detail than I'm willing to cover here, so I highly recommend reading the blog post. But the takeaway here is, to do this properly, you should provide both an authentication stack and an annotation layer detailing permission roles, and the twain shall only meet where you've explicitly and deliberately connected the two.

定义细粒度的方法调用和有意义的安全策略留给读者练习，但如果您对此方面有疑问，请随时询问它们在评论或一系列后续问题中，因为这些问题本身对广大受众有用。

Defining fine-grained method calls and a security policy that makes sense is left as an exercise for the reader, but if you have questions in this area, feel free to ask them in the comments or in a set of follow-up questions, as these questions are inherently useful to a wide audience.

可以想象这个解决方案不够强大，无法满足您的需求。例如，如果您希望使用 LDAP 或 Kerberos 提供用户和角色的统一表示，这仅提供满足您需求的部分解决方案。几个很棒 资源，但这样做仍然保留为读者的练习。

It's conceivable that this solution isn't robust enough for your needs. For example, if you wish to authenticate users using LDAP or Kerberos to provide a unified representation of your users and roles, this only provides a partial solution to meet your needs. Several great resources exist in this domain, but this is otherwise left as an exercise for the reader.

这里的最终结论是，在完美的世界中，这就是应该如何定义应用程序安全性的方法。您的需求可能会有所不同，对于小规模的东西，简单，声明性安全性可能很好，以满足您的需求。毕竟，这就是它继续存在的原因。

The ultimate takeaway here is, in the perfect world, this is how your application security should be defined. Your needs may vary, and for something left at the small scale, simple, declarative security may be fine to meet your needs. After all, that's why it continues to exist.

但是，对于必须安全正确地满足大量用户需求的大型应用程序，这是正确的方法去。它需要更多的知识和开销，但如果你开始正确地做，它会为你节省大量的时间，精力和挫折感。

But, for larger applications that must meet the needs of a large number of users securely and correctly, this is the right way to go. It requires a bit more knowledge and overhead, but it'll save you copious amounts of time, effort, and frustration if you begin by doing it properly.

一如既往，祝您的申请顺利。

As always, best of luck with your application.

这篇关于如何在JSF中执行安全性？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！