资源下载游戏！ 2 - 认证没有意义 [英] Java Play! 2 - Authentication does not make sense

问题描述

这是一个从的Java游戏跟进！ 2 - 用户管理与饼干

从zentask例如

    public class Secured extends Security.Authenticator {

        @Override
        public String getUsername(Context ctx) {
            return ctx.session().get("email");
        }

        @Override
        public Result onUnauthorized(Context ctx) {
            return redirect(routes.Application.login());
        }

        // Access rights

        public static boolean isMemberOf(Long project) {
            return Project.isMember(
                project,
                Context.current().request().username()
            );
        }

        public static boolean isOwnerOf(Long task) {
            return Task.isOwner(
                task,
                Context.current().request().username()
            );
        }


}

对于我来说，这并不真的是有道理的。

For me this doesn't really makes sense.

用户得到以下的cookie。例如，email=test@test.com

User gets the following cookie. for example "email=test@test.com"

如果我去一个安全页面，zentask只检查电子邮件是不是空。这怎么能是安全的？

If I go to a "secured" page , zentask only checks if email is not null. How can this be secure?

会议的原因是得到加载了分贝。但是使用这种方法，他必须不断检查用户是否有权限来安全网页上。

The reason of sessions are to get load off the db. But with this approach he has to constantly check if the user has the rights to on a secured page.

对于我来说它并没有真正有意义。为什么会有这个功能getUsername？又为何是返回类型的字符串？

For me it doesn't really makes sense. Why is there a function getUsername? And why is the return type a string?

我想这样做财产以后这样的：

I want to do somthing like this:

• 在用户登录，并得到一个cookie看起来像财产以后这个值= randomString

• User logs in and gets a cookie which looks somthing like this "value=randomString"

安全在缓存中，例如用户对象 Cache.set（randomstring，userObject）;

Safe the user OBJECT in the cache for example Cache.set(randomstring,userObject);

现在如果游客回来我检查他的randomstring是在我的缓存，如果是检查是否在现金User对象必须是安全的页面上。权利

Now if the visitor comes back I check if his randomstring is in my cache, if yes check if the User object in the cash has the rights to be on the secured page.

我能做到这一点，就没有@ Security.Authenticated（）注释。

I was able to achieve this, just without the @Security.Authenticated() annotation.

是否有可能与此注释实现这一目标？

Is it possible to achieve this with this annotation?

推荐答案

这仅仅是一个样品，没有别的。你并不需要存储的电子邮件中的cookie。您可以为一个例子节省一些哈希识别登录的用户，或做一些其他的配套。

It is just a sample, nothing else. You don't need to store a email in the cookie. You can for an example save some hash to identify logged user, or do some other matching.

样品尽可能简单，它改变到更复杂的方案规定的开发侧。

Samples are as simple as possible, changing it to more sophisticated scenarios lays on the developers side.

BTW当然，所有游戏的饼干签署，我真怀疑你将能够手动更改。

BTW of course all Play's cookies are signed and I really doubt if you'll be able to manually change it.

这篇关于资源下载游戏！ 2 - 认证没有意义的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！