阿帕奇四郎和放大器; Java安全为新手 [英] Apache Shiro & Java Security for Novices
问题描述
我知道接下来到任何关于Java的安全模型,包括XML配置,政策制定,任何安全框架组件,工具(如密钥库等)之间的一切。
I know next-to-nothing about Java's security model, including XML configuration, policy-setting, any security framework components, tools (such as keystore, etc.) and everything in between.
虽然我知道它最终会变成的必需的我挽起衣袖,学会深入Java安全,我如果使用类似阿帕奇四郎将有助于缓解过渡有点疑惑。因此,我有一些顾虑吧。
Although I understand it will eventually become essential for me to roll up my sleeves and learn Java security in-depth, I was wondering if using something like Apache Shiro would help ease the transition a bit. As such, I have a few concerns with it.
时四郎,实质上是一个交钥匙,包罗万象包装Java应用程序中实现安全性(更具体地说,Web应用程序)。含义,可以配置四郎与他们的项目,基本上调整它做同样的配置,策略设置等,一个必须手动做(零星)无过?如果没有,四郎有什么不足之处(有一些什么的大事情的四郎不能为我做到这一点是至关重要的)?是否有任何大的漏洞四郎根本不解决?
Is Shiro, essentially, a "turnkey, catchall wrapper" for implementing security in Java applications (and more particularly, web apps). Meaning, can one configure Shiro with their project and essentially tune it do all the same configuration, policy settings, etc. that one would have to do "manually" (piecemeal) without it? If not, what shortcomings does Shiro have (what are some big things Shiro can't do for me that are vital)? Are there any large vulnerabilities that Shiro doesn't address at all?
按照同样的思路,我听说过OWASP的ESAPI框架的好东西。 Aybody与既有经验?可以ESAPI和四郎被配置为一起工作或者是它只是一个二进制的非此即彼式的交易?
Along the same lines, I've heard good things about OWASP's ESAPI framework. Aybody have experience with both? Can ESAPI and Shiro be configured to work together or is it simply a binary "one or the other" type deal?
在此先感谢!
推荐答案
简短的回答是肯定的。无论四郎和ESAPI的可以的共同努力,虽然有两个API之间的冗余功能的LT。四郎给你你需要覆盖标准的Java安全模型的一切。 ESAPI提供OWASP的全球标准化的安全机制超出去。
The short answer is yes. Both Shiro and ESAPI can work together, although there is a lt of redundant functionality between the two APIs. Shiro gives you everything you need for covering the standard Java security model. ESAPI goes above and beyond by providing OWASP's globally-standardized security mechanisms.
四郎应该由像我这样的新手谁真的不理解Java安全性和/或一般应用/服务器的安全使用。这需要很多东西的安全性无知的照顾。 ESAPI应通过编程安全专家已经了解Java安全和希望利用不仅自带的Java EE的一切,但需要去加倍努力,使事情更加安全的使用。
Shiro should be used by novices like myself who really don't understand Java security and/or general applications/server security. It takes care of a lot of things for the security-ignorant. ESAPI should be used by programming security professionals that already understand Java security and want to leverage not only everything that comes with Java EE but need to go the extra mile and make things even more secure.
这篇关于阿帕奇四郎和放大器; Java安全为新手的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
