[英]How to transfer secret usernames and passwords between ViewScoped beans?
I am working on a webprojekt where I in order to minimize session bloating are using primarily ViewScoped beans. 我正在开发一个webprojekt,为了尽量减少会话膨胀,我主要使用ViewScoped bean。 But then I face the problem that I need to transfer clients usernames and passwords between my beans (to access the database etc.).
但是然后我遇到一个问题,我需要在我的bean之间传输客户端的用户名和密码(以访问数据库等)。
I have made a system where I am using flash objects to transfer usernames and passwords between beans such as this: 我建立了一个系统,在其中使用Flash对象在Bean之间传输用户名和密码,例如:
public String gotoNextView() {
ExternalContext external = FacesContext.getCurrentInstance().getExternalContext();
external.getFlash().put("user_name", (String) FacesContext.getCurrentInstance().getExternalContext().getFlash().get("user_name"));
external.getFlash().put("password", (String) FacesContext.getCurrentInstance().getExternalContext().getFlash().get("password"));
return "/../../next_view.xhtml";
}
But I am worried about whether it is somehow possible for a hacker to manipulate the client and thereby trick the server to expose the flash objects! 但是我担心黑客是否有可能操纵客户端,从而欺骗服务器以暴露Flash对象!
Another solution that I am thinking about is to store all the JSESSIONID's for the web application as keys in a Map with the usernames and passwords as values. 我正在考虑的另一种解决方案是将Web应用程序的所有JSESSIONID作为键存储在Map中,并以用户名和密码作为值。 To make that work I suppose that I need a callback method to be called when a user session ends or expires so that I can remove the relevant JSESSIONID from the Map.
为了完成这项工作,我想我需要在用户会话结束或过期时调用一个回调方法,以便可以从Map中删除相关的JSESSIONID。 But the problem with that solution is that I am in doubt about what is the best way to implement the callback so that I can be 100% sure that the Map entry is removed before a new similar JSESSIONID is created by the server (even though I know that the chances are extremely small that it will happen in such a short amount of time).
但是该解决方案的问题在于,我不确定实现回调的最佳方法是什么,因此我可以100%确保在服务器创建新的类似JSESSIONID之前删除Map条目(即使我知道在极短的时间内发生这种情况的机会很小。 Also I am in doubt about what to with beans that are working with a JSESSIONID (a user) if for some reason the server discards the JSESSIONID before the bean (and for example database operations) is finished (as I then can risk that a new similar JSESSIONID is created by the server for another user which then might get mingled with the JSESSIONID and user the other bean is servicing)!
另外,如果服务器由于某种原因在Bean(例如数据库操作)完成之前丢弃了JSESSIONID(因为我可能冒着新的风险),服务器是否会因为某些原因而丢弃JSESSIONID,我也对使用JSESSIONID的Bean(用户)该怎么办感到怀疑。服务器为另一个用户创建了类似的JSESSIONID,然后该用户可能与JSESSIONID混合,并且该用户正在为另一个bean服务)!
I Hope that someone with deep insight into the problem will write about what is the best practise and a 100% secure way to this (also I suppose that most people working with JSF webapp servers encounter this problem and therefore it would be helpful for others to know the best solution to the problem). 我希望对问题有深刻洞察力的人会写出什么是最佳实践以及100%安全的解决方法(我还认为大多数使用JSF Webapp服务器的人都会遇到此问题,因此这对其他人有帮助知道解决问题的最佳方法)。 Thanks.
谢谢。
I think you're under a misconception here. 我认为您在这里有一个误解。 The fact that a variable resides in one managed bean, and then is "passed" to another managed bean does not mean that there's actual movement across a physical medium.
变量驻留在一个托管Bean中,然后“传递”到另一个托管Bean的事实,并不意味着存在跨物理介质的实际移动。 All viewscoped beans are implemented in the same storage area (I believe it's the
UIViewRoot
object). 所有范围内的bean都在同一存储区中实现(我相信它是
UIViewRoot
对象)。 At this level, there's an implicit Boundary of Trust between these entities , and unless there's user-accessible movement between the two beans (maybe a client side variable, URL parameter or other HTTP artifact), I don't see the risk. 在此级别上,这些实体之间存在隐式的信任边界 ,并且除非两个bean之间存在用户可访问的移动(可能是客户端变量,URL参数或其他HTTP构件),否则我看不到风险。
What this means is that, regardless of the specific @ViewScoped
bean the variable sits in, they're all exposed to the same vulnerability (if any). 这意味着,不管变量位于哪个特定的
@ViewScoped
bean中,它们都暴露于同一个漏洞(如果有)。 "Passing" a variable between the beans doesn't introduce any new risk. 在bean之间“传递”变量不会带来任何新的风险。 Unless you're displaying the values anywhere to the users (maybe in the URL or in a hidden HTML form element), there's no new risk introduced by the
@ViewScoped
object in and of itself (improper use of the scopes is a different matter). 除非您将值显示给用户的任何位置(可能在URL或隐藏的HTML表单元素中),
@ViewScoped
对象本身不会带来新的风险(不正确使用范围是另一回事) 。
Ultimately, if you're still concerned about it, just encrypt your stuff (consider the overhead) before handing the variable to another entity 最终,如果您仍然担心它,只需在将变量交给另一个实体之前加密您的东西(考虑开销)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.