如何保护 servlet 不被外部用户访问?
[英]How to protect a servlet from external users?
问题描述
I have tried to use security-constraint in web.xml.
我尝试在 web.xml 中使用安全约束。 I gave permission to admin by using role.我通过使用角色授予管理员权限。 How to test whether the servlet is secured and be able to access only by the admin?如何测试 servlet 是否安全并且只能由管理员访问?
1 个解决方案
解决方案1
8 已采纳 2012-04-10 06:14:55
To test the servlet, you need at least two Google Accounts.要测试 servlet,您至少需要两个 Google 帐户。 One Google Account must be added as at least a Viewer on your Google App Engine Admin Console, the other Google Account must not be added.必须将一个 Google 帐户至少添加为 Google App Engine 管理控制台上的查看者,不得添加另一个 Google 帐户。 The Google Account that is not added in the Admin console should not be able to access any servlet where the role is defined as admin.未在管理控制台中添加的 Google 帐户不应能够访问角色定义为管理员的任何 servlet。
If for some reason the tests fail, you need to make sure you've followed all the steps in the documentation to secure the servlet and implement an authentication schema.如果由于某种原因测试失败,您需要确保已按照文档中的所有步骤来保护 servlet 并实施身份验证模式。 Below outlines using Google OAuth and the UserService as an example.下面以 Google OAuth 和 UserService 为例进行概述。
Out of the box, Google App Engine gives you two roles to use within your application: User and Admin.开箱即用的 Google App Engine 为您提供了两个角色供您在应用程序中使用:用户和管理员。
Admin users are defined as any user that is listed asany one of the three roles on the Google App Engine project, so if you want to grant someone admin access to your servlet, you could add them as a Viewer in the http://appengine.google.com panel.管理员用户被定义为在 Google App Engine 项目中被列为三个角色之一的任何用户,因此如果您想授予某人对您的 servlet 的管理员访问权限,您可以在http://中将他们添加为查看者appengine.google.com面板。
The UserService class gives you access to the logged in user. UserService class 使您可以访问已登录的用户。 You would need to use this to create a login URL for your user, log them in through Google using his or her Google account, redirect him or her to your application, and then use UserService.isUserAdmin() to determine if that user is indeed an admin user.您需要使用它为您的用户创建登录名 URL,使用他或她的 Google 帐户通过 Google 登录,将他或她重定向到您的应用程序,然后使用UserService.isUserAdmin()确定该用户是否确实是管理员用户。
Using the Users Service describes in detail how to get started using the UserService class. Using the Users Service详细介绍了如何开始使用UserService class。
package guestbook;
import java.io.IOException;
import javax.servlet.http.*;
import com.google.appengine.api.users.User;
import com.google.appengine.api.users.UserService;
import com.google.appengine.api.users.UserServiceFactory;
public class GuestbookServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
UserService userService = UserServiceFactory.getUserService();
User user = userService.getCurrentUser();
if (user != null) {
resp.setContentType("text/plain");
if(userService.isUserAdmin()) {
resp.getWriter().println("Hello, " + user.getNickname() + ", you are logged in as an admin");
} else {
resp.getWriter().println("Hello, " + user.getNickname());
}
} else {
resp.sendRedirect(userService.createLoginURL(req.getRequestURI()));
}
}
}
The Google App Engine Users Java API Overview demonstrates how to handle logging in users on Google App Engine: Google App Engine 用户 Java API 概述演示了如何处理 Google App Engine 上的用户登录:
import java.io.IOException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.google.appengine.api.users.UserService;
import com.google.appengine.api.users.UserServiceFactory;
public class MyServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
UserService userService = UserServiceFactory.getUserService();
String thisURL = req.getRequestURI();
resp.setContentType("text/html");
if (req.getUserPrincipal() != null) {
resp.getWriter().println("<p>Hello, " +
req.getUserPrincipal().getName() +
"! You can <a href=\"" +
userService.createLogoutURL(thisURL) +
"\">sign out</a>.</p>");
} else {
resp.getWriter().println("<p>Please <a href=\"" +
userService.createLoginURL(thisURL) +
"\">sign in</a>.</p>");
}
}
}
Securing the Servlet:保护 Servlet:
If you have pages that the user should not be able to access unless signed in, you can establish a security constraint for those pages in the deployment descriptor (the web.xml
The Deployment Descriptor: Security and Authentication page demonstrates how to modify your web.xml so that only admins can access certain servlets. 部署描述符:安全和身份验证页面演示了如何修改您的 web.xml,以便只有管理员可以访问某些 servlets。
<security-constraint>
<web-resource-collection>
<url-pattern>/profile/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
In this example, the servlet /profile is accessible by users with any role, indicated by * , and the /admin servlet is only accessible by users with the role admin .在此示例中,servlet /profile可由具有任何角色的用户访问,由*指示,而/admin servlet 仅可由具有角色admin的用户访问。
While Google App Engine Java does have built-in security, the roles are somewhat limited.虽然 Google App Engine Java 确实具有内置的安全性,但作用有些有限。 If you need finer grain control over the roles of your users, see Luke Taylor's Post on Spring Security in Google App Engine .如果您需要对用户角色进行更精细的控制,请参阅Luke Taylor 在 Spring Google App Engine 中的安全性上的帖子。 The example is old, but if you turn your logging level up to TRACE, you can make it work on the latest versions of Spring and the latest GAE SDK.这个例子是旧的,但是如果你把你的日志记录级别提高到 TRACE,你可以让它在最新版本的 Spring 和最新的 GAE SDK 上工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.