堆栈内存溢出
  简体   繁体   English

基于会话属性的Spring MVC安全性

[英]Spring MVC security based on Session Attribute

 原文  2010-10-13 01:07:27       spring/ spring-mvc/ spring-security

问题描述

I am using a Security scheme that is based on session attributes. 我正在使用基于会话属性的安全方案。 I know that Spring has Acegi Security but I don't have much time to study that module. 我知道Spring具有Acegi Security,但是我没有太多时间研究该模块。 I just want to share this to solicit comments. 我只想分享一下以征求意见。

The pseudocode is like this. 伪代码是这样的。

  1. On successful Login, I am setting an attribute on user session. 成功登录后,我正在用户会话上设置属性。 The object that I am placing as session attribute is a simple javabean with a map of privileges. 我作为会话属性放置的对象是带有特权映射的简单javabean。

    public class UserInfo{ public String getRole(){}; 公共类UserInfo {public String getRole(){}; public Map checkPrivilege(){}; 公共地图checkPrivilege(){}; //getters and setters } // getters和setters}

  2. The session attributes contains the Role also of the user. 会话属性还包含用户的角色。 (He could be a User/Guest/Admin/Super Admin). (他可以是用户/访客/管理员/超级管理员)。 Now there are certain privileges that are authorized to User. 现在有一些授权给用户的特权。

For my JSP, I just check out the user session for his role and privilege. 对于我的JSP,我只是签出用户会话以了解他的角色和特权。

My rough code is like this using JSTL 我的粗略代码是使用JSTL这样的 

IF (User Info in Session is 'User' and has this privilege)
    Add Button is shown
Else
    No Add Button is shown.

I have these questions: 我有以下问题:

  1. Are session attributes considered secure that no one else can sniff or hack? 会话属性是否被认为安全,其他任何人都不能嗅探或破解?
  2. Are security based on these scheme considered secure-enough? 基于这些方案的安全性是否被认为足够安全?

1 个解决方案

解决方案1
 1 已采纳  2010-10-13 01:38:23

Session attributes are stored on the server side only, so yes they are secure. 会话属性仅存储在服务器端,因此是安全的。

There is no problem with putting these security identifiers into session attributes in terms of security. 就安全性而言,将这些安全性标识符放入会话属性中没有问题。 But that is the easy part of web application security! 但这是Web应用程序安全性的简单组成部分! The hard part is the rest of the security infrastructure, which I am concerned that you have not thought about yet. 困难的部分是安全基础结构的其余部分,我担心您尚未考虑过。

I recommend you investigate Spring Security. 我建议您调查Spring Security。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring MVC会话属性 - Spring MVC Session Attribute Spring MVC会话属性访问 - Spring MVC Session Attribute Access MVC中的Spring会话管理,Spring安全性会话与HTTP会话 - Spring session management in mvc, Spring security session vs http session Spring MVC +安全-会话范围的Bean - Spring mvc + security - session scoped beans 基于活动会话的Spring Security授予权限 - Granting Authority in Spring Security Based on Active Session Spring MVC会话:预期的会话属性“用户”,已在会话中存在 - Spring MVC Session: Expected Session attribute 'user', which already there in Session Spring Security-访问基于属性的控制器方法 - Spring security - Access to a controller method based on an attribute Spring MVC无法获取会话中设置的属性 - Spring mvc unable to fetch attribute set in session Spring -MVC 在 controller 中使用 session 属性 - Spring -MVC use session attribute in controller 会话属性作为Spring MVC的方法参数 - Session attribute as method argument with Spring MVC
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM