本地 java 桌面应用程序的登录架构
[英]Login architechture for a local java desktop application
问题描述
Hi,
你好,
I am trying to write my first simple local desktop application with login capabilities.我正在尝试编写我的第一个具有登录功能的简单本地桌面应用程序。 There should be support for different types of users with different access rights.应该支持具有不同访问权限的不同类型的用户。 I have managed to come up with something that works in a simple version of the program, however, it feels flawed on several levels.我设法想出了一些可以在程序的简单版本中运行的东西,但是,它在几个层面上都存在缺陷。 I simply don't know if I am on the right track with the structure of the entire application.我只是不知道我在整个应用程序的结构上是否走在正确的轨道上。 I am also very uncertain about security.我对安全性也很不确定。
Here is my current implementation (only the login specific classes/methods) :这是我当前的实现(仅登录特定的类/方法) :
Question:问题:
Does anyone have recommendations for how to implement this kind of system?有人对如何实施这种系统有建议吗? Or is there somewhere I can learn more about how to structure an application in a way that makes sense?或者在某个地方我可以了解更多关于如何以一种有意义的方式构建应用程序的信息? I have been learning a lot of design patterns and OOB principals, but I have a hard time applying them in a real application.我一直在学习很多设计模式和 OOB 原则,但我很难将它们应用到实际应用程序中。
NB: If context matters, the application is a fictional computer store that lets administrators add different types of computer components to an inventory.注意:如果上下文很重要,则该应用程序是一个虚构的计算机商店,允许管理员将不同类型的计算机组件添加到库存中。 Customers can search and filter through these parts and create their own configuration.客户可以搜索和过滤这些部分并创建自己的配置。 Customers can then order that configuration.然后客户可以订购该配置。
1 个解决方案
解决方案1
1 2020-04-05 01:04:26
What's the point of the password feature?密码功能的意义何在? If it runs on a machine that is under the control of some user and not under yours, they will have access.如果它在受某些用户控制而不是您的控制的机器上运行,他们将有权访问。 There's nothing you can do about this.你对此无能为力。
Generally, for apps that run entirely locally, piggyback on the OS itself;通常,对于完全在本地运行的应用程序,搭载操作系统本身; store the data in the user's home dir and make sure the file's access rights are such that other (non-admin) users can't read it.将数据存储在用户的主目录中,并确保文件的访问权限使得其他(非管理员)用户无法读取它。 Other admin users?其他管理员用户? Well, they are admin users.好吧,他们是管理员用户。 If they wanna read it, they can, that's sort of the point of such users.如果他们想阅读它,他们可以,这就是这些用户的意义所在。 You can't stop them from doing this.你不能阻止他们这样做。 If you store the relevant data per user in a file that only they can read, there's no need for a username/password prompt at all;如果您将每个用户的相关数据存储在只有他们可以读取的文件中,则根本不需要用户名/密码提示; their 'login' is their local username, and their 'authentication' is inherent.他们的“登录”是他们的本地用户名,他们的“身份验证”是固有的。 Simple.简单的。
The one time where a user/pass setup MIGHT make sense is if the app is started by an administrator and is started in a locked down mode, where the one operating the keyboard and mouse cannot get at the case of the system and cannot close the app at all.用户/通行证设置可能有意义的一次是,如果应用程序由管理员启动并以锁定模式启动,在这种模式下,操作键盘和鼠标的人无法进入系统,也无法关闭应用程序。 That's for example how an ATM works: Those are just windows machines, where the 'keyboard' is just a numpad, and the mouse and the computer system itself are locked away in a bunch of brick and metal.这就是 ATM 的工作原理:那些只是 windows 机器,其中的“键盘”只是一个数字键盘,鼠标和计算机系统本身被锁在一堆砖块和金属中。 If you do this, make sure you apply proper password hygiene;如果您这样做,请确保您应用了正确的密码卫生; don't store it, store its bcrypt/pbkdf/argon2/scrypt hash instead.不要存储它,而是存储它的 bcrypt/pbkdf/argon2/scrypt hash。 That way if someone gets at that file, your app is hosed but at least if that user re-used their passwords on other sites (which users do, in spades), the hack won't expose that too.这样,如果有人获取了该文件,您的应用程序就会被破坏,但至少如果该用户在其他网站上重新使用了他们的密码(用户确实如此),黑客也不会暴露这一点。
I assume you don't have that, which brings us back to: What are you attempting to accomplish with the password?我假设你没有那个,这让我们回到:你想用密码完成什么?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.