Java中安全的Web应用程序开发
[英]Secured web application development in java
问题描述
i have asked to do a web application using java (using open source frameworks) which should be a high secured application. 
我要求使用Java(使用开放源代码框架)做一个Web应用程序,它应该是高度安全的应用程序。
I have an impression that using https will solve all the issues related to communication between browser and server. 我的印象是,使用https将解决与浏览器和服务器之间的通信有关的所有问题。 is it correct ? 这是正确的吗 ?
if i want to store the login details in to the session object. 如果我想将登录详细信息存储到会话对象中。 is it really safe if i do that assuming the connection is https. 如果我假设连接是https,这样做真的安全吗?
please give me some thoughts about how to develop secured (to sustain session ID spoofing etc..) applications using java. 请给我一些有关如何使用Java开发安全(to sustain session ID spoofing etc..)应用程序的想法。 all the while i was just doing normal username and password login applications where the system stores user info(like username and role) into session object. 一直以来,我只是在做普通的用户名和密码登录应用程序,系统将用户信息(如用户名和角色)存储到会话对象中。
Thanks & Regards, 感谢和问候,
Venky 文基
3 个解决方案
解决方案1
4 已采纳 2011-03-18 09:23:31
在开始开发安全的Web应用程序之前,请先阅读OWASP指南。
解决方案2
3 2011-03-18 09:15:47
You can use Spring Security to secure your application which makes it easy to handle login and logout routines and access control over your application using annotations, request maps and so on based on roles assigned to user. 您可以使用Spring Security来保护您的应用程序,从而可以轻松地处理登录和注销例程,并根据分配给用户的角色使用注释,请求映射等对应用程序进行访问控制。 It handles storing login information. 它处理存储登录信息。 And if you find, that something should be done differently, you can implement your own mechanism to satisfy your needs - Spring Security is highly customizable with interfaces. 而且,如果发现应该以不同的方式完成某些事情,则可以实现自己的机制来满足您的需求-Spring Security可以通过界面进行高度自定义。 Possibilities are enormous and for what I know, Spring Security is pretty much standard now for securing web application based on Java. 可能性是巨大的,据我所知,Spring Security现在已成为保护基于Java的Web应用程序的标准。
Personally I'm using Spring Security in grails application, and I'm very satisfied by the way it works and it's possibilities. 我个人在grails应用程序中使用Spring Security,并且对它的工作方式和可能性感到非常满意。
解决方案3
1 2011-03-18 08:49:25
I have an impression that using https will solve all the issues related to communication between browser and server.
Yes , because it won't send request in plain form, it will encrypt and send. 是的 ,因为它不会以纯格式发送请求,所以它将加密并发送。
if i want to store the login details in to the session object.
It has nothing to do with https, it will be stored on server. 它与https无关,它将存储在服务器上。
and to enable HTTPS in your webserver you need to configure SSL with your web/app server 并在您的网络服务器中启用HTTPS ,您需要在您的网络/应用服务器中配置SSL
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.