为Spring MVC Controller-AOP或Spring Security的方法传递密码?
[英]Passing a password for methods for Spring MVC Controller - AOP or Spring Security?
问题描述
I have been using Spring MVC for a short while now with annotated controllers for JSP pages. 
我已经使用Spring MVC了很短的时间了,它带有带注释的JSP页面控制器。 I have a class similar to this: 我有一个与此类似的课程:
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
@Controller
public class AdminController {
@RequestMapping(value = "/doStuff1.htm", method = RequestMethod.POST)
public void doStuff1(@RequestParam("password")String password) {
// do some stuff
}
@RequestMapping(value = "/doStuff2.htm", method = RequestMethod.POST)
public void doStuff2(
@RequestParam("password")String password,
@RequestParam("foo")String foo{
// do some stuff
}
}
As you can see, every call will have a password param passed in. The password is read from a dialog and passed into every call that is submitted. 如您所见,每个呼叫都会传入一个密码参数。从对话框中读取密码,并将其传递到提交的每个呼叫中。
I would like to get rid of the password parameter from the method calls to have 'cleaner' code. 我想从方法调用中删除password参数,以获取“更干净”的代码。
I had a quick look at Spring security for this purpose but it seemed a bit heavyweight. 为此,我快速看了一下Spring安全性,但是它似乎有点重量级。 Maybe AOP can be used? 也许可以使用AOP?
Is there an obvious solution I'm missing? 有什么明显的解决方案我找不到吗?
Many thanks, - Scott 非常感谢,-斯科特
2 个解决方案
解决方案1
6 2011-02-08 13:00:17
As you can see, every call will have a password param passed in. The password is read from a dialog and passed into every call that is submitted.
a) This is an awful practice. a)这是一个可怕的做法。 It means that anybody with a network sniffer will be able to see your password all over the place. 这意味着拥有网络嗅探器的任何人都可以在整个地方看到您的密码。 It might be ok to submit the password once (although it would be better to use a secure way to transmit the password), but then the session should contain the authentication token 一次提交密码可能没问题(尽管最好使用安全的方式来传输密码),但随后会话应包含身份验证令牌
b) Password only? b)仅密码? Never use a password without a username! 切勿使用没有用户名的密码! With a brute force attack, any standalone-password will eventually be hacked, but username / password combinations are much more difficult to crack. 使用蛮力攻击,所有独立密码最终都会被黑客入侵,但是用户名/密码组合更难以破解。
c) Your controller methods should not know or care about passwords. c)您的控制器方法不应该知道或关心密码。 It's not their concern. 这与他们无关。 They have work to do, dealing with passwords /security is a cross-cutting concern and should not be implemented on the controller level. 他们有工作要做,处理密码/安全性是一个贯穿各领域的问题,因此不应在控制器级别上实现。 Which leads us to the Question: 这导致我们想到一个问题:
What to use: AOP or Spring Security? 使用什么:AOP或Spring Security?
AOP is a very powerful way of implementing cross-cutting functionality, but it has some drawbacks: AOP是实现跨领域功能的一种非常强大的方法,但是它有一些缺点:
- if you use Spring AOP , advising controllers will only work if you either use interface-backed proxies (and defining interfaces for code that's never called via Java is a bit awkward) or use CGLib-based subclasses through
proxy-target-class="true"(in XML config).如果您使用Spring AOP ,则仅当您使用支持接口的代理(并且为从未通过Java调用的代码定义接口有点尴尬)或通过proxy-target-class="true"使用基于CGLib的子类时,才建议控制器使用proxy-target-class="true"(在XML配置中)。 The latter has funny side effects like double execution of constructors.后者具有有趣的副作用,例如构造函数的双重执行。 Many use it, but I would advise against it. 许多人使用它,但我建议不要这样做。 Which means Spring AOP is not a good choice. 这意味着Spring AOP不是一个不错的选择。 - if you use static AspectJ compilation however, you are hardwiring your security concerns into the application code. 但是,如果您使用静态AspectJ编译,则会将安全性问题牢记在应用程序代码中。 Security settings should be configurable without recompiling classes, so I'd say we have a no-go here as well. 安全设置应该是可配置的,而无需重新编译类,因此我想我们这里也不能做。
So my suggestion is: 所以我的建议是:
Use Spring Security 使用Spring Security
Spring Security is a custom solution for doing exactly what you want: securing Spring based sites (using Spring MVC or another web framework). Spring Security是一种自定义解决方案,可完全满足您的需求:保护基于Spring的站点(使用Spring MVC或其他Web框架)。 While Spring Security can be a huge monster, in most cases, the configuration needed is minimal: 尽管Spring Security可能是一个巨大的怪物,但在大多数情况下,所需的配置很少:
<http auto-config='true'>
<!-- restrict all URLs to role ROLE_USER -->
<intercept-url pattern="/**" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<!-- define two users, jimi and bob -->
<user name="jimi" password="jimispassword"
authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword"
authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
(Taken from the section A Minimal <http> Configuration ) (摘自“最小<http>配置”部分 )
解决方案2
0 2011-02-08 21:29:02
As mentioned in the previous post its better to submit the login data only once per session and store an authententication token inside the user session. 如前一篇文章所述,最好每个会话仅提交一次登录数据,并将身份验证令牌存储在用户会话内。
For checking the token you can implement the HandlerInterceptor interface from the springframework. 为了检查令牌,您可以从springframework实现HandlerInterceptor接口。
For example 例如
public class MyHandlerInterceptor extends HandlerInterceptorAdapter {
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
//check authentication
}
} }
and the configuration: 和配置:
<bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
<property name="interceptors">
<list>
<bean id="myInterceptor" class="...MyInterceptor"/>
</list>
</property>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.