寻找一个简单,安全的会话设计与servlet和JSP [英] Looking for a simple, secure session design with servlets and JSP
问题描述
我正在开发一个仅支持Intranet的Web应用程序(J2EE),它需要一些基本的安全功能。该网站的授权用户相对较少,但我仍需要实施某种安全会话。
我正在看的基本流程是访问网站= >登录=>使用site =>完成后注销(或在浏览器关闭时自动注销)。没什么好看的,甚至在登录时都没有记住我选项。大部分认证工作已经完成 - 该站点只能通过https访问,而且我有一个存储用户名和(加密)密码的数据库。 / p>
因此,一旦用户登录,实现安全会话的最简单的方法是什么(理想情况下,没有任何JBoss / JSP在幕后做的cookie)? I.E.阻止用户直接请求登录屏幕之外的页面等。
是否只需检查会话中某些isUserAuthenticated类似的值,检查是否存在对于我的servlet中的所有传入请求,会话是否存在(例如 request.getSession(false))?那么阻止用户获取JSP文件并强制他们为所有请求使用servlet呢?任何其他考虑因素(及其解决方案)?
听起来你可以使用简单的声明性安全方法。
请参阅Java EE Tutorial部分,了解保护Web应用程序,特别是在声明性安全性部分
解决您的具体问题:
什么是最简单的...
实现安全会话的方式? I.E.
阻止用户直接
请求超出登录
屏幕的页面等。
声明您在具有适当安全角色的webapp描述符(web.xml)中的URL。未经授权的用户将无法访问它们(尝试访问它们会带来登录页面)。
这只是一个问题检查
会话中的某些
isUserAuthenticated类似值,
检查会话是否存在(例如
request.getSession(false))所有
传入请求在我的servlet中?
所有这些都是完全没必要的; servlet容器将在幕后为你完成。
如何防止用户从
获取JSP文件并强制它们为
对所有请求使用servlet吗?
只要JSP不需要公开访问(例如你转发到它们来自您的servlet;您永远不会重定向到JSP)您可以在具有安全角色的集合中声明其URL,这些角色从未实际分配给用户。
I'm working on an intranet-only web application (J2EE) that requires some basic security features. There will be relatively few authorized users for the site, but I still need to implement some sort of secure session.
The basic flow I'm looking at is visit site => log in => use site => log out when done (or automatically log out when the browser is closed). Nothing fancy at all, not even a "remember me" option when logging in. Most of the work for authentication is already done - the site is accessible only over https, and I have a database which stores usernames and (encrypted) passwords.
So, once the user has logged in, what's the simplest (ideally no cookies beyond whatever JBoss/JSPs would do behind the scenes) way to implement a secure session? I.E. prevent users from just directly requesting pages beyond the login screen, etc.
Is it just a matter of checking the session for some "isUserAuthenticated"-like value, checking that the session exists (e.g. request.getSession(false)) for all incoming requests in my servlet? What about preventing users from getting JSP files and forcing them to use a servlet for all requests? Any other considerations (and their solutions)?
Sounds like you can use simple declarative security approach.
Take a look at Java EE Tutorial section for Securing Web Applications , particularly at declarative security section
To address your specific questions:
What's the simplest ... way to implement a secure session? I.E. prevent users from just directly requesting pages beyond the login screen, etc.
Declare your URLs in webapp descriptor (web.xml) with an appropriate security role. They'll be inaccessible to unauthorized users (and attempt to access them will bring forth a login page).
Is it just a matter of checking the session for some "isUserAuthenticated"-like value, checking that the session exists (e.g. request.getSession(false)) for all incoming requests in my servlet?
All that will be completely unnecessary; servlet container will do it for you behind the scenes.
What about preventing users from getting JSP files and forcing them to use a servlet for all requests?
As long as JSPs never need to be accessed publicly (e.g. you're forwarding to them from within your servlet; you're never redirecting to a JSP) you can declare their URLs in a collection with security role that is never actually assigned to a user.
这篇关于寻找一个简单,安全的会话设计与servlet和JSP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
