使用 Tomcat 应用程序保护 HttpServer 上的内容 - 有什么想法吗? [英] Secure content on HttpServer using a Tomcat Application - any ideas?
问题描述
我们在 Tomcat 上有一个 Web 应用程序.该应用程序从专用的 Apache HTTPServers 访问内容(机密).我们不希望未经授权的用户访问此内容.即只有通过 WebApp(在 Tomcat 上)认证的用户才能访问 HttpServer 内容.(我们使用 HTTPS 来保护网络,但如果有人获得内容的直接 httpserver url,他们可能会下载内容.
We have a Web Application on Tomcat. The App accesses content(confidential) from dedicated Apache HTTPServers. We do not want un-authorized users accessing this content. i.e. Only users authenticated through WebApp(on Tomcat) can access HttpServer content. (We are using HTTPS to secure the network, but if someone gets the direct httpserver url for content they may download content).
我们正在考虑在 Tomcat 上的同一个 web 应用程序中托管内容.有什么想法吗?
We are thinking of hosting content in side the same webapp on Tomcat. Any ideas?
推荐答案
执行此操作的简单/懒惰方法是强制要求每次访问 Apache 服务器时的 HTTP Referrer 都是 Tomcat 服务器的地址.一个页面:http://www.htaccess-guide.com/deny-visitors-by-referrer/
The easy/lazy way to do this is to enforce that the HTTP Referrer on each hit to the Apache servers is the addrress of your Tomcat server. A page on that: http://www.htaccess-guide.com/deny-visitors-by-referrer/
但是,如果黑客发现这是您的保护方案,那么他们就可以欺骗 HTTP 引荐来源网址.
However, it's fairly trivial for a hacker to spoof the HTTP referrer if they figure out that's your protection scheme.
两种更复杂但安全的方法,按工作顺序排列:
Two more complicated but secure methods, in order of effort:
在 Tomcat 服务器上写一个 JSP 页面或其他东西来验证用户是否登录,然后通过 HTTP 从 Apache 获取数据,然后将数据输出回最终用户.通过这样做,您可以有效地编写自己的反向代理.然后将 Apache 服务器锁定为仅向 Tomcat 服务器的 IP 地址(以及您希望允许的任何其他授权/内部 IP)提供页面.优点:做起来还是很快的.缺点:您正在使用 tomcat 资源来显示其他服务器上的每个页面,它会引入可伸缩性问题,尤其是如果 apache 服务器提供大量字节(例如,如果 apache 提供 500 meg 文件,这会耗尽吗?你的 tomcat 脚本的内存?这取决于你编码和测试 JSP 页面的程度!小心!).如果页面很小,那可能不是问题.
Write a JSP page or something on the Tomcat server that verifies the user is logged in, then fetches the data off Apache by HTTP, and then outputs the data back to the end user. You are effectively writing your own reverse proxy by doing this. Then have the Apache server locked down to only serve pages to the Tomcat server's IP address(es) (and any other authorzied/internal IPs you wish to allow). Pros: still pretty quick to do. Cons: you're using tomcat resources to display each page off the other server, it can introduce scalability issues, especially if the apache servers serve up large numbers of bytes (for instance, if apache serves up a 500 meg file, will that exhaust your tomcat script's memory? That depends how well you code and test your JSP page! Beware!). If the pages are tiny, it's probably not an issue.
在 Apache 和 Tomcat 之间实现某种单点登录.这可能是基于 cookie 的或者更高级的东西(比如跟踪会话的后端身份验证服务器).通过这种方式,Apache 将知道请求 https://页面的用户已正确验证,否则将拒绝该请求.优点:完全可扩展.缺点:更难设置,许多解决方案都是商业/付费产品.
Implement some kind of Single Sign On between Apache and Tomcat. This could be cookie based or something fancier still (like with a backend authentication server tracking the sessions). In this way Apache would know that the user requesting the https:// page was properly authenticated and would deny the request otherwise. Pros: Completely scalable. Cons: harder to set up, many of the solutions out there are commercial/pay products.
这篇关于使用 Tomcat 应用程序保护 HttpServer 上的内容 - 有什么想法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
