[英]How to handle authentication/authorization with users in a database?
Currently, I am working on a web project using JSF 2.0, Tomcat 7 and MongoDB.目前,我正在使用 JSF 2.0、Tomcat 7 和 MongoDB 进行 Web 项目。 I have a big question of how to handle the session management and authentication/authorization with users in a database.我有一个关于如何处理数据库中用户的会话管理和身份验证/授权的大问题。
The structure I want is as follows: only logged in users can create events and everyone can see the created events.我想要的结构是这样的:只有登录的用户才能创建事件,每个人都可以看到创建的事件。
create.xhtml
--> only for logged in users. create.xhtml
--> 仅适用于登录用户。events.xhtml
--> public for everyone. events.xhtml
--> 对所有人公开。The basic structure I'm planning is:我计划的基本结构是:
create.xhtml
)检查页面是否需要登录用户(例如create.xhtml
)login.xhtml
如果用户未登录,请转到login.xhtml
@SessionScoped
gets into play) (我猜@SessionScoped
起作用了)The question is:问题是:
@SessionScoped
annotation?我应该在哪里使用@SessionScoped
注释? In Create.java
or LoginManager.java
?在Create.java
或LoginManager.java
?There are several options.有几种选择。 Which to choose is fully up to you.选择哪个完全取决于您。 Just objectively weigh the concrete advantages and disadvantages conform your own situation.只是客观地权衡具体的优缺点符合你自己的情况。
Just declare a <security-constraint>
in web.xml
which refers a security realm which is configured in servletcontainer.只需在web.xml
声明一个<security-constraint>
,它指的是在 servletcontainer 中配置的安全领域。 You can for your webapp specify URL pattern(s) which should be checked for login and/or role(s), eg /secured/*
, /app/*
, /private/*
, etc.您可以为您的 web 应用程序指定 URL 模式,这些模式应该检查登录和/或角色,例如/secured/*
、 /app/*
、 /private/*
等。
Before Java EE 8, you unfortunately still need to configure a security realm in a servletcontainer-specific way.在 Java EE 8 之前,不幸的是,您仍然需要以特定于 servletcontainer 的方式配置安全领域。 It's usually described in servletconainer-specific documentation.它通常在 servletconainer 特定文档中描述。 In case of Tomcat 8, that's the Realm HOW-TO .如果是 Tomcat 8,那就是Realm HOW-TO 。 For example, a database based realm based on users/roles tables is described in section "JDBCRealm".例如,“JDBCRealm”部分描述了基于用户/角色表的基于数据库的领域。
Since Java EE 8, there will finally be a standard API based on JSR-375 .从 Java EE 8 开始,最终会有一个基于JSR-375的标准 API。
This allows for much more fine grained control, but you're going to need to write all the code yourself and you should really know/understand how you should implement such a filter to avoid potential security holes.这允许进行更细粒度的控制,但是您将需要自己编写所有代码,并且您应该真正知道/理解应该如何实现这样的过滤器以避免潜在的安全漏洞。 In JSF side, you could for example just put the logged-in user as a session attribute by sessionMap.put("user", user)
and check in the filter if session.getAttribute("user")
is not null
.例如,在 JSF 方面,您可以通过sessionMap.put("user", user)
将登录用户作为会话属性,并在session.getAttribute("user")
不为null
检查过滤器。
For example, Apache Shiro , Spring Security , etc. This offers usually much more fine grained configuration options than standard container managed authentication and you don't need to write any code for this yourself, expect of the login page and some (XML) configuration of course.例如, Apache Shiro 、 Spring Security等。这通常提供比标准容器管理的身份验证更细粒度的配置选项,您不需要自己为此编写任何代码,除了登录页面和一些(XML)配置之外当然。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.