如何处理数据库中的用户的身份验证/授权？ [英] How to handle authentication/authorization with users in a database?

问题描述

目前，我正在使用一个web项目使用JSF 2.0，Tomcat 7和MongoDB。我有一个很大的问题，如何处理与数据库中的用户的会话管理和身份验证/授权。

Currently, I am working on a web project using JSF 2.0, Tomcat 7 and MongoDB. I have a big question of how to handle the session management and authentication/authorization with users in a database.

我想要的结构如下：只有登录的用户可以创建事件，每个人都可以看到创建的事件。仅适用于已登录用户的

The structure I want is as follows: only logged in users can create events and everyone can see the created events.

• create.xhtml >
  
• events.xhtml - >所有人都可公开。

• create.xhtml --> only for logged in users.
• events.xhtml --> public for everyone.

我计划的基本结构是：

• 检查页面是否需要登录用户（例如 create.xhtml ）


• 如果是，请检查用户是否已登录


• 如果用户未登录， login.xhtml


• 如果成功登录，请返回请求的页面


• 保持用户已登录信息，除非用户单击退出
  按钮。 （我想 @SessionScoped 开始使用）

• Check if the page requires logged in user (e.g. create.xhtml)
• If yes, check if user is logged in
• If user is not logged in, go to login.xhtml
• If successfully logged in, come back to requested page
• Keep the "User is logged in" information unless user clicks log out button. (there I guess @SessionScoped gets into play)

问题是：

1. 这样做的较不复杂的方法是什么？


2. c $ c> @SessionScoped 注释？ Create.java 或
   LoginManager.java ？


3. Spring的安全看起来有点复杂的我的问题，我真的
   需要它吗？如果是，你能解释一下如何实现与JSF 2.0和Mongo DB一起工作吗？

1. What is the less complicated way of doing this?
2. Where should I use the @SessionScoped annotation? In Create.java or LoginManager.java?
3. Spring security looks kind of complicated for my issue, do I really need it? if yes, can you explain a little bit of how the implementation works together with JSF 2.0 and Mongo DB?

推荐答案

有几个选项。哪个选择完全取决于你。客观地权衡具体的优缺点符合你自己的情况。

There are several options. Which to choose is fully up to you. Just objectively weigh the concrete advantages and disadvantages conform your own situation.

只要在 web.xml < security-constraint> >它指在servletcontainer中配置的安全领域。您可以为您的webapp指定应检查登录和/或角色的URL模式，例如。 / secured / * ， / app / * ， / private / * 等。

Just declare a <security-constraint> in web.xml which refers a security realm which is configured in servletcontainer. You can for your webapp specify URL pattern(s) which should be checked for login and/or role(s), e.g. /secured/*, /app/*, /private/*, etc.

在Java EE 8之前，您仍然需要以特定于servlet容器的方式配置安全实例。它通常在servletconainer特定的文档中描述。对于Tomcat 8，这是领域HOW-TO 。例如，基于用户/角色表的基于数据库的领域在JDBCRealm一节中描述。

Before Java EE 8, you unfortunately still need to configure a security real in a servletcontainer-specific way. It's usually described in servletconainer-specific documentation. In case of Tomcat 8, that's the Realm HOW-TO. For example, a database based realm based on users/roles tables is described in section "JDBCRealm".

从Java EE 8开始，最终会有一个基于 JSR-375 。

Since Java EE 8, there will finally be a standard API based on JSR-375.

• 自从Java EE 8终于有了一个强大而灵活的标准API。

• 在Java EE 8之前，领域配置是容器特定的。在Java EE 8中，新的 JSR-375安全规范应该在 JASPIC 。


• 在Java EE 8之前，没有细粒度的控制。


• 在Java EE 8之前，它是非常spartan的;没有记住我，错误处理错误，没有基于权限的限制。

• Before Java EE 8, realm configuration is container-specific. In Java EE 8, the new JSR-375 Security Spec should solve that with help of JASPIC.
• Before Java EE 8, , there is no fine grained control.
• Before Java EE 8, it's very spartan; no "remember me", poor error handling, no permission based restriction.

• 使用j_security_check 在Java EE / JSF中执行用户身份验证 - 包含完整的代码示例


• Java EE启动应用程序 - 示例Web应用程序（由我开发），也演示了使用 Soteria （JSR-375 RI）。

• Performing user authentication in Java EE / JSF using j_security_check - contains complete code examples
• Java EE kickoff application - example web application (developed by me) which also demonstrates Java EE 8 authentication with Soteria (the JSR-375 RI).

这允许更多细粒度的控制，但你需要自己编写所有的代码，你应该真正知道/理解你应该如何实现这样的过滤器，以避免潜在的安全漏洞。在JSF端，你可以例如通过 sessionMap.put（user，user）将登录用户作为会话属性，并检入过滤器if session.getAttribute（user）不是 null 。

This allows for much more fine grained control, but you're going to need to write all the code yourself and you should really know/understand how you should implement such a filter to avoid potential security holes. In JSF side, you could for example just put the logged-in user as a session attribute by sessionMap.put("user", user) and check in the filter if session.getAttribute("user") is not null.

• 精细控制。


• 完全独立于容器。

• 重新发明轮子;新功能需要大量代码。


• 作为开发者，您无法确定代码是否完全可靠。

• 是否有任何简单的方法来预处理和重定向GET请求？ - 包含验证的介绍说明和启动示例


• >会话到期时的授权重定向在提交JSF表单时不起作用，页面保持不变 - 包含更多扩展启动示例，用于同时涵盖ajax请求的身份验证


• JSF：如何控制JSF中的权限和访问权限？ - 包含授权的启动示例

• Is there any easy way to preprocess and redirect GET requests? - contains introducory explanation and kickoff example for authentication
• Authorization redirect on session expiration does not work on submitting a JSF form, page stays the same - contains more extended kickoff example for authentication which also covers ajax requests
• JSF: How control access and rights in JSF? - contains kickoff example for authorization

例如， Apache Shiro a>， Spring Security 等。这通常提供更精细的配置选项比标准容器管理的认证，你不需要为自己编写任何代码，期望登录页面和一些（XML）配置当然。

For example, Apache Shiro, Spring Security, etc. This offers usually much more fine grained configuration options than standard container managed authentication and you don't need to write any code for this yourself, expect of the login page and some (XML) configuration of course.

• 精细控制。


• 完全独立于容器。


• 没有重塑的轮子;

• 一些学习曲线。

• JSF2 - Shiro教程 - 关于在JSF2 webapp中集成Shiro的广泛教程

• JSF2 - Shiro tutorial - an extensive tutorial on integrating Shiro in JSF2 webapp

这篇关于如何处理数据库中的用户的身份验证/授权？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！