如何在Web应用程序中实现HTTPS登录页面?
[英]How to implement a HTTPS login page in a web application?
问题描述
I want to create a secure login/logout mechanism. 
我想创建一个安全的登录/注销机制。 I started reading the following articles to get an idea of things to take into account: 我开始阅读以下文章,以了解要考虑的事项:
- Solving the Logout Problem Properly and Elegantly 正确优雅地解决退出问题
- Revisiting the logout problem 重新审视注销问题
These articles make some good points, but I was thinking in using HTTPS in a similar way as the Yahoo mail login page. 这些文章提出了一些好处,但我正在考虑以与Yahoo邮件登录页面类似的方式使用HTTPS。 You know... you type http://mail.yahoo.com and you are redirected to a HTTPS page like **https://**login.yahoo.com/config/login where you insert your username and password and after your credentials are verified you are redirected back to a HTTP page with a generated session_id cookie and all communications from there on are on HTTP using the cookie. 您知道...您输入http://mail.yahoo.com并重定向到HTTPS页面,例如** https://**login.yahoo.com/config/login,其中您插入了用户名和密码,验证您的凭据后,您将被重定向回具有生成的session_id cookie的HTTP页面,并且所有通信都在使用cookie的HTTP上。
What do I need to implement this behavior? 我需要什么来实现这种行为?
I want to do this for two Java web apps (one with Spring framework and one with Struts 1) but don't know exactly how to integrate that HTTPS part into the application (I have never worked with HTTPS before). 我想为两个Java Web应用程序(一个使用Spring框架,一个使用Struts 1)执行此操作,但不知道如何将该HTTPS部分集成到应用程序中(我之前从未使用过HTTPS)。
6 个解决方案
解决方案1
16 已采纳 2009-09-25 07:18:40
First of all you need to enable SSL for your server. 首先,您需要为服务器启用SSL。 For Tomcat you need to generate an openSSL keystore and add the following connector to server.xml: 对于Tomcat,您需要生成openSSL密钥库并将以下连接器添加到server.xml:
<Connector port="8443" scheme="https" secure="true" SSLEnabled="true"
keystoreFile="mykeystore" sslProtocol="TLS"
keystorePass="keystore password" />
To integrate SSL into your application I recommend Spring Security. 要将SSL集成到您的应用程序中,我建议使用Spring Security。 It offers exactly what you want (login over HTTPS, then redirected to HTTP). 它提供您想要的(通过HTTPS登录,然后重定向到HTTP)。 All you have to do to implement it, is to set forceHTTPS to true: 要实现它,您需要做的就是将forceHTTPS设置为true:
<bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/pages/login.jsp" />
<property name="forceHttps" value="true"/>
</bean>
Of course Spring and Spring security do have a rather steep learning curve, but it is totally worth it. 当然,春季和春季安全确实有一个相当陡峭的学习曲线,但它是完全值得的。 Do it once and then you can apply it to new apps in less than an hour. 做一次,然后你可以在不到一个小时的时间内将它应用到新的应用程序。 You can use Spring Security in both the Spring and Struts application. 您可以在Spring和Struts应用程序中使用Spring Security。
Spring security used to be Acegi security. Spring安全性曾经是Acegi的安全性。 This is an article that will get you started. 这篇文章将帮助您入门。
解决方案2
3 2009-09-21 11:23:02
Not sure about any Java or spring specifics, but in general: 不确定任何Java或弹簧细节,但一般情况下:
1) Set up an SSL cert on your server. 1)在服务器上设置SSL证书。
2) Forward or Link to an absolute URL (with https:// at the beginning) when going to login page 2)转到登录页面时转发或链接到绝对URL(在开头使用https://)
3) Forward to an absolute URL (with http://) after successful authentication. 3)成功验证后转发到绝对URL(使用http://)。
4) Include a check in the login page code to only accept https connections. 4)在登录页面代码中包含一个检查,仅接受https连接。
Of course there may be framework specific ways of doing the http/https redirect without resorting to explicitly specifying the full URL. 当然,可能存在特定于框架的方式来执行http / https重定向,而无需明确指定完整的URL。
解决方案3
3 2009-09-21 11:48:52
@see Acegi (spring security) @see Acegi(春季安全)
I think it provides all required components. 我认为它提供了所有必需的组件。 For example it supports login via https. 例如,它支持通过https登录。 There is a good reference . 有一个很好的参考 。 How to get https login you can read here . 如何获取https登录,您可以在这里阅读。 I think you should read all. 我想你应该读完所有。
解决方案4
1 2009-09-28 03:23:52
I'd recommend investigating a single sign-on solution of some sort. 我建议调查某种单点登录解决方案。 A quick search in Google yields JOSSO , Open SSO , and CAS , among others. 在Google中快速搜索会产生JOSSO , Open SSO和CAS等。 I've worked a little bit with CAS before and had some positive experiences with it. 我之前和CAS一起工作过一段时间,并且对它有一些积极的经验。 Spring Security also has support built in to work with CAS. Spring Security还内置了支持CAS的支持。
解决方案5
1 2009-09-29 08:21:28
Load for secure pages a script to check the token. 加载安全页面脚本以检查令牌。
at top of your script: 在脚本的顶部:
if(!getSecurityToken()) // 1
redirect(login_page)
if(!checkToken(token)) // 2
redirect(login_page)
The login page should set the secure token and create a session, which would then be passed in the request. 登录页面应设置安全令牌并创建会话,然后在会话中传递该会话。 The server keeps track of which session owns which token. 服务器跟踪哪个会话拥有哪个令牌。 For implementing the server you must implement for your scripts the checkToken method. 要实现服务器,必须为脚本实现checkToken方法。 The token should be saved in cookies or else in someway saved in the page (for subsequent requests). 令牌应保存在cookie中,或者以某种方式保存在页面中(用于后续请求)。
When a request is made to the server it must contain the token, or else will fail redirect (1). 当向服务器发出请求时,它必须包含令牌,否则将失败重定向(1)。
When the users session expires (by logout or timeout) then the mapping in the server will no longer exist (session id to token id) and thus any new requests with the token will be invalid and cause a redirect(2). 当用户会话到期时(通过注销或超时),服务器中的映射将不再存在(会话ID到令牌ID),因此带有令牌的任何新请求都将无效并导致重定向(2)。
解决方案6
0 2011-08-23 01:19:16
This post has an interesting solution: 这篇文章有一个有趣的解决方案
http://forum.springsource.org/archive/index.php/t-65651.html http://forum.springsource.org/archive/index.php/t-65651.html
The guy used a filter to keep the session active during the switch (https - http) 这家伙使用过滤器在交换机期间保持会话活动(https - http)
It worked for me! 它对我有用!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.