用的sessionId或用户名+密码认证四郎 [英] Shiro authentication with sessionId or username+password

查看:226
本文介绍了用的sessionId或用户名+密码认证四郎的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我没有在Java身份验证框架和一般工作流程认证(仅限某些理论知识)太多的经验,所以对教育目的我想为我的HTTP应用程序创建这种类型的身份验证:


  1. 客户端登录帖子+密码 /登录

  2. 在由下式给出的凭据用户四郎日志。服务器端返回他的的sessionId

  3. 客户端请求某种资源 / myresource?的sessionId = 1234567

  4. 在给出的主题四郎日志的sessionId 。然后,服务器不会获得 / myresource (与四郎管理方法级别的访问权限)的常规工作流程。

基本上我有这些问题:


  1. 我想我没有必要对HTTP会话的Servlet也不会话。四郎有它自己的会话管理器,它足够满足我的需求。难道我错了吗?

  2. 它是好的做法,让客户真正的sessionId或者我应该送一些sessionToken(这是决定的sessionId在服务器端)?

  3. 如何登录使用的sessionId(该客户端应在本地存储)?主题

  4. 是否有任何其他的东西,我需要做这种身份验证之前就知道了?

先谢谢了。


解决方案

我想我没有必要对HTTP会话的Servlet也不会话。四郎有它自己的会话管理器,它足够满足我的需求。难道我错了吗?

没有,你是对的。这就是为什么四郎是真棒。从文档


  

    

四郎的会话支持更易于使用,比这两种[Web容器或EJB有状态会话Bean]机制管理,而且它是可在任何应用程序,无论容器。


  

例如

 主题的currentUser = SecurityUtils.getSubject();
会话的会话= currentUser.getSession();
session.setAttribute(someKeysomeValue中);

的DOC :的getSession在任何应用程序调用工作,甚至非Web应用程序

它是很好的做法,让客户真正的sessionId或者我应该送一些sessionToken(这是决定的sessionId在服务器端)?

这是一个坏主意,发送纯的sessionId。特别地,如果你通过未加密的网络发送数据。无论是使用类似HTTPS <击>或使用的东西线 NONCE

和,一个侧面说明,如果在HTTP / S POST数据,而不是在URL拥有它。

如何登录使用的sessionId(该客户端应在本地存储)?主题

您的意思怎么可能,一旦你有会话ID验证的主题?你可以简单地说,
从文档,

 主题requestSubject =新Subject.Builder()的sessionId(的sessionId).buildSubject()。

是否有任何其他的东西,我需要做这种身份验证之前就知道了?


  1. 的会话管理

  2. 精益了解 MITM攻击

  3. 了解 HTTPS 并的 SSL

  4. 在一些Hash函数,<一个href=\"http://commons.apache.org/$c$cc/apidocs/org/apache/commons/$c$cc/digest/DigestUtils.html\">Apache下议院DigestUtils 并可能

更新

关于这个问题的一部分认证 - 它将使新创建的主题目前已验证的主题?如果不是,我怎么让它的当前主题?

如果你在谈论新Subject.Builder()的sessionId(的sessionId).buildSubject(),它不会。我不知道如何将它设置为的currentUser 的的线程。四郎的<一个href=\"http://shiro.apache.org/static/current/apidocs/org/apache/shiro/subject/Subject.Builder.html\">JavaDoc说:


  

[这样]返回Subject实例不会自动绑定到应用程序(线程)继续使用。也就是说,SecurityUtils.getSubject()将不会自动返回相同的实例作为什么是建设者返回。它是由框架开发者如果需要,结合内置的主题继续使用。


所以,这是高达你如何绑定在当前线程或继续使用的问题。

如果你担心如何 SecurityUtils.getSubject(); 啄作品,以及在Web容器方面,它使用简单的cookie来存储您的会话数据。当你的请求通过四郎过滤器,它重视当前受请求它的生命周期(当前线程)。而当你为 getSubject()它只是获取主题的请求。我发现一个有趣的线索<一个href=\"http://shiro-user.582556.n2.nabble.com/Question-about-SecurityUtils-getSubject-td6952295.html\">here.

关于现时部分:如果他给我发一些散而不是他的sessionId的 - 我不能脱code将其获得真正的sessionId(授权他这一点)。我失去了一些东西在这里?

杜撰的一部分 - 这是在颈部疼痛。现在反思,我觉得做NONCE仅仅是矫枉过正。让我来解释一下,反正,


  1. 在第一时间与他的用户名和密码的用户日志。设置用户ID 现时(比如说,UUID)和 HASH(会话ID +随机数),称之为HASH1,在客户端。就是说,在cookie中。存储这个现时在服务器端,可能在DB或在地图作为 USER_ID&LT; - &GT;现时,SESSION_ID


  2. 在随后的请求,请确保您回传用户ID 现时 HASH


  3. 在服务器端,你会做的第一件事就是验证请求。获取的sessionId 现时存储在基于 USER_ID ,是由客户端发送。创建一个哈希散列(sessionId_from_db + nonce_from_db),称之为HASH2。


  4. 现在,如果匹配HASH1 HASH2,可以验证该请求,并从您存储当前的sessionId在服务器端,您可以使用它。根据要求完成,在饼干和服务器端设置新的随机数。


如果您通过1 - 4,你会意识到你将不需要四郎进行身份验证。 (:
所以,我把我的背单词,杜撰并不在这种情况下,除非应用你太任性有关安全性能上

为什么MITM攻击事给我吗?我的客户(JavaScript的AJAX $ C $三)提取数据从它的服务器通过AJAX。因此,我不认为我应该以任何方式关心MITM。

我觉得应该怎么了你。 MITM攻击意味着你的请求/响应正在通过一台机器(MITM)链接到你的路由器。如果它是一个未加密的请求时,它的所有纯文本的MITM。他可以看到所有的请求......并可能欺骗请求,并可能劫持会话。让我找到了一些例子.... <一href=\"http://michael-coates.blogspot.com/2010/03/man-in-middle-attack-explained.html\">http://michael-coates.blogspot.com/2010/03/man-in-middle-attack-explained.html

I do not have much experience in Java authentication frameworks and authentication workflow in general (only some theoretical knowledge), so for educational purposes I'm trying to create this type of authentication for my HTTP application:

  1. Client Posts login+password to /login.
  2. Shiro logs in the user by given credentials. Server returns client his sessionId.
  3. Client requests some kind of resource /myresource?sessionId=1234567.
  4. Shiro logs in the Subject by given sessionId. Then server does the regular workflow of getting the /myresource (with Shiro managing method-level access rights).

Basically I have these questions:

  1. I guess I have no need for HTTP sessions nor Servlet sessions. Shiro has it's own session manager which is enough for my needs. Am I wrong?
  2. Is it good practice to give client the real sessionId or should I send some kind of sessionToken (which is resolved to sessionId on server side)?
  3. How do I login the Subject using sessionId (which the client should store locally)?
  4. Are there any other things I need to know before doing this kind of authentication?

Thanks in advance.

解决方案

I guess I have no need for HTTP sessions nor Servlet sessions. Shiro has it's own session manager which is enough for my needs. Am I wrong?

No, you're right. That's why Shiro is awesome. From doc

Shiro's Session support is much simpler to use and manage than either of these two [web container or EJB Stateful Session Beans] mechanisms, and it is available in any application, regardless of container.

e.g.

Subject currentUser = SecurityUtils.getSubject();    
Session session = currentUser.getSession();
session.setAttribute( "someKey", someValue);

quoting from the doc: getSession calls work in any application, even non-web applications

Is it good practice to give client the real sessionId or should I send some kind of sessionToken (which is resolved to sessionId on server side)?

It is a bad idea to send plain sessionId. Specially, if you're sending data over unencrypted network. Either use something like HTTPS or use something line NONCE.

And, a side note, if over http/s POST data instead of having it in URL.

How do I login the Subject using sessionId (which the client should store locally)?

You meant how could you authenticate the subject once you have session ID? You can simply, from the doc,

Subject requestSubject = new Subject.Builder().sessionId(sessionId).buildSubject();

Are there any other things I need to know before doing this kind of authentication?

Yes.

  1. Read Shiro's Session Management
  2. Lean about MITM Attack
  3. About HTTPS and SSL
  4. Some on Hash functions this, Apache Commons DigestUtils and may be this

Updates

About that subject authentication part - will it make the newly created Subject the currently authenticated subject? If not, how do I make it the "current" subject?

If you're talking about new Subject.Builder().sessionId(sessionId).buildSubject(), it will not. And I do not know how to set it as currentUser for the thread. Shiro's JavaDoc says,

[this way] returned Subject instance is not automatically bound to the application (thread) for further use. That is, SecurityUtils.getSubject() will not automatically return the same instance as what is returned by the builder. It is up to the framework developer to bind the built Subject for continued use if desired.

so, it's upto you how you bind the subject in current thread or further use.

If you were worried about how SecurityUtils.getSubject(); thingy works, well, in web-container context, it uses simple cookie to store your session-data. When your request comes through Shiro filter, it attached the current subject to request for it's life cycle (current thread). And when you as getSubject() it simply gets the Subject from request. I found an interesting thread here.

about nonce part: If he sends me some kind of hash instead of his sessionId - I won't be able to decode it to get real sessionId (to authorize him with that). Am I missing something here?

Nonce part -- it's a pain in the neck. Now rethinking, I think doing NONCE is just overkill. Let me explain some, anyways,

  1. User logs in first time with his user-name and password. Set userid, nonce (say, UUID), and HASH(sessionID+nonce) ,call it hash1, on client side. Say, in cookie. Store this nonce on server side, may be in DB or in a Map as user_id <--> nonce,session_id

  2. On subsequent request, make sure you passback userid, nonce and the HASH.

  3. On server side, the first thing you will do is validate the request. Get the sessionId and nonce stored in the hashmap or DB based on user_id that was sent by the client. Create a hash, HASH(sessionId_from_db+nonce_from_db), call it hash2.

  4. Now, if hash1 matches hash2, you can validate the request and since you have stored current sessionId on server side, you can use it. On request completion, set new nonce in cookie and on server side.

If you go through 1 -- 4, you'll realize you wouldn't require Shiro for authentication. (: So, I am taking my words back, NONCE is not applied in this case unless you are too freaky about security over performance.

Why do MITM attack matter to me? My client (javascript ajax code) fetches data from it's server via ajax. So I do not think I should care about MITM in any way.

I think it should matter to you. MITM Attack means your requests/responses are being chained via a machine (MITM) to your router. If it's an unencrypted request, it's all plain text to the MITM. He can see all your requests... and possibly spoof the requests and may hijack session. let me find some example.... http://michael-coates.blogspot.com/2010/03/man-in-middle-attack-explained.html

这篇关于用的sessionId或用户名+密码认证四郎的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆