Web APplication的容器管理安全性 [英] Container Managed Security for Web APplication
问题描述
我对Container托管安全性完全陌生,需要一些帮助才能在我的Web应用程序中配置它。
I am completely new to Container managed security and need some help with configuring it in my web application.
我想在我的Web应用程序中限制对jsp的访问。这就是我在web.xml中配置安全性的方法
I want to restrict access to the jsp's within my web application. This is how i have configured security in my web.xml
<security-constraint>
<display-name>PrivilegedConstraint</display-name>
<web-resource-collection>
<web-resource-name>JSP Files</web-resource-name>
<description>All the jsp files in the web application</description>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>PrivilegedRole</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>BasicRealm</realm-name>
</login-config>
<security-role>
<description>This is a privileged role. Has access to everything in the web app</description>
<role-name>PrivilegedRole</role-name>
</security-role>
我的问题是:
什么是login-config元素中realm-name的目的是什么?
我在哪里配置用户名,密码并将用户映射到角色?
What is the purpose of realm-name in the login-config element? Where do i configure the username, passwords and map the users to the roles?
当我尝试访问我的Web应用程序中的jsp时,我会被问到用户名和密码。我在那里放什么?这种安全机制如何运作?
When i try to access a jsp within my web application, i get asked for a username and password. What do i give there? And how does this security mechanism work?
我对安全性完全陌生,所以如果有人能给我一篇很好的文章解释配置安全性的基础知识及其实际工作方式,我将不胜感激? / p>
I am completely new to security, so I will be grateful if someone can point me to a nice article which explains the basics of configuring security and how it actually works?
推荐答案
问:login-config元素中realm-name的用途是什么?
Q: "What is the purpose of realm-name in the login-config element?"
来自 Java EE 6教程:
领域是一个为Web或应用程序服务器定义的安全策略域。领域包含一组用户,可能会也可能不会分配给组。
A realm is a security policy domain defined for a web or application server. A realm contains a collection of users, who may or may not be assigned to a group.
当前在此定义的行为 Servlet 3.0规范:
HTTP基本身份验证,基于用户名和密码,
是HTTP / 1.0规范中定义的身份验证机制。
Web服务器请求Web客户端对用户进行身份验证。作为请求的
部分,Web服务器传递领域(字符串),其中
用户将被认证。 Web客户端从用户获取用户名
和密码,并将它们发送到Web服务器。
然后,Web服务器对指定领域中的用户进行身份验证。
HTTP Basic Authentication, which is based on a username and password, is the authentication mechanism defined in the HTTP/1.0 specification. A web server requests a web client to authenticate the user. As part of the request, the web server passes the realm (a string) in which the user is to be authenticated. The web client obtains the username and the password from the user and transmits them to the web server. The web server then authenticates the user in the specified realm.
问:我在哪里配置用户名,密码并将用户映射到角色?
Q: "Where do i configure the username, passwords and map the users to the roles?"
这是特定于容器的。也就是说,每个服务器供应商都可以自由定义如何定义用户/组以及如何配置此信息。通常有多种方法可以做到这一点。
This is container specific. That is, each server vendor is free to define how users/groups are defined and how this information is configured. There is usually more than one way to do this.
用户和组通常在目录中定义。然后,服务器配置为使用此目录,管理员将在部署时映射应用程序角色。
Users and groups are often defined in a directory. The server is then configured to use this directory and the administrator will map the application roles at deployment time.
开发人员Tomcat测试服务器可能使用平面文件;生产WebSphere服务器可能通过LDAP挂接到公司Exchange目录。
A developer Tomcat test server might use a flat file; a production WebSphere server might hook into the company Exchange directory via LDAP.
请参阅服务器文档以获取更多信息。
Refer to your server documentation for more.
你可能会比遵循 Oracle Java EE 6 教程,但要注意特定于该供应商产品的步骤。
You could do worse than follow the Oracle Java EE 6 tutorial with Netbeans and Glassfish, but be aware of the steps that are specific to that vendor's products.
这篇关于Web APplication的容器管理安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
