AngularJs和JBoss和JAAS [英] AngularJs and Jboss and JAAS

问题描述

如果一会看 JBoss的安全框架关于如何使用JBoss 6，使JAAS创建此的web.xml 配置JAAS安全保障即REST API的一种可能的解释是：

If one would to look at JBoss security framework as one possible explanation on how to enable JAAS using JBoss 6 and create this web.xml to configure JAAS security to protect i.e. a Rest api:

    <?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
    <context-param>
        <param-name>resteasy.scan</param-name>
        <param-value>true</param-value>
    </context-param>

    <context-param>
        <param-name>resteasy.servlet.mapping.prefix</param-name>
        <param-value>/api</param-value>
    </context-param>

    <listener>
        <listener-class>
            org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap
        </listener-class>
    </listener>

    <servlet>
        <servlet-name>resteasy-servlet</servlet-name>
        <servlet-class>
            org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
        </servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>resteasy-servlet</servlet-name>
        <url-pattern>/api/*</url-pattern>
    </servlet-mapping>

  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
  </welcome-file-list>

  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>fileRealm</realm-name>
    <form-login-config>
    <form-login-page>/login.html</form-login-page>
    <form-error-page>/error.html</form-error-page>
    </form-login-config>
  </login-config>

   <error-page>
     <error-code>403</error-code>
     <location>/accessdenied.jsp</location>
   </error-page>

  <security-constraint>
    <display-name>Secured Content</display-name>
    <web-resource-collection>
      <web-resource-name>Secured Content</web-resource-name>
      <url-pattern>/api/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>HEAD</http-method>
      <http-method>PUT</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>TRACE</http-method>
      <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>ADMINISTRATOR</role-name>
      <role-name>MANAGER</role-name>
    </auth-constraint>
  </security-constraint>

  <security-role>
    <role-name>ADMINISTRATOR</role-name>
  </security-role>

  <security-role>
    <role-name>MANAGER</role-name>
  </security-role>

  <security-role>
    <role-name>EMPLOYEE</role-name>
  </security-role>

  <security-role>
    <role-name>USER</role-name>
  </security-role>

  <security-role>
    <role-name>DEFAULT</role-name>
  </security-role>

  <session-config>
    <session-timeout>5</session-timeout>
    <cookie-config>
      <name>SESSIONID</name>
    </cookie-config>
  </session-config>
</web-app>

然后像 HTTP网址：//本地主机：8080 / webcontext / API / restpath 将得到保护，并创下该URL重定向到登录页面。这对我的作品。

then a URL like http://localhost:8080/webcontext/api/restpath will be protected and hitting this URL will redirect to the login page. And this works for me.

现在我想带AngularJS这个组合的前端。可能吗？是这样的，我应该怎么实现它。如果不是，有什么办法？理想情况下，我想使用JAAS。

Now I would like to bring AngularJS into this mix as the frontend. Would it be possible? Is so, how should I implement it. If not, what is the alternatives? Ideally I would like to use JAAS.

我想我想知道的是，我怎么能修改

I think what I like to know is, how can I change the

<form-login-config>
    <form-login-page>/login.html</form-login-page>
    <form-error-page>/error.html</form-error-page>
</form-login-config>

＆LT;形式登录页＆GT; 来而成为如一个 /partial/view/login.html 中的角应用程序呢？ （如果这样做有意义）在摆脱的login.html 文件换句话说，具有JAAS重定向到任何网页/文件是角定义为登录表单。

<form-login-page> to rather serve e.g. a /partial/view/login.html within the Angular app instead? (if this does make sense) In other words getting rid of the login.html file and have JAAS redirect to whatever page/file is define in Angular as the login form.

推荐答案

您可以使用的Servlet / J2EE安全为您的休息终点，我的猜测是你用什么角度。

You can use Servlet/Java EE security for your REST endpoint, which I guess is what you're using for Angular.

然而，FORM身份验证方法可能不适合这个，因为它更预期的实际用户应用的互动，而不是code至API。 Java EE的也有一个自定义选项。看看这个的http：//阿尔扬 - tijms。 omn​​ifaces.org/2014/11/header-based-stateless-token.html 的总体思路。

However the FORM authentication method is probably ill suited for this, as it's more intended for actual user to app interaction, not code to API. Java EE also has a CUSTOM option. Take a look at this http://arjan-tijms.omnifaces.org/2014/11/header-based-stateless-token.html for the general idea.

您很可能希望采取行动只是对HTTP返回codeS。拥有的Java EE认证模块返回一个403 *当用户没有通过验证，那么在你的角code显示基于本机登录页面/对话框。登录对话框可以调用其中的用户名/密码的令牌，然后在下面的REST调用使用交换登录端点。

You'd probably want to act just on the HTTP return codes. Have the Java EE authentication module return a 403* when the user is not authenticated, then in your Angular code display a native login page/dialog based on that. The login dialog could call a login endpoint where a username/password are exchanged for a token that you then use in the following REST calls.

请确保您使用HTTPS访问所有受保护的端点，但至少登录服务。此外，您可能要一段时间后过期的令牌。

Make sure that you access all the protected endpoints using HTTPS, but at least the login service. Additionally you probably want to expire the token after some time.

*）的 403是很好的起点，但还有东西总是返回404所以攻击者无法开始猜测其保护的URL存在的话。要检查是否验证成功（如果没有的URL存在或保护），可以呼应验证的用户的ID或名字回来的头。的

这篇关于AngularJs和JBoss和JAAS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！