如何在JSF中执行安全性?
[英]How do I do security in JSF?
问题描述
I am using Java EE 6 with all reference implementations. 
我正在使用Java EE 6和所有参考实现。 Having made some security constraints for some pages such as everything beneath /secure/* . 为某些页面制定了一些安全约束,例如/secure/*下的所有内容。 This is rough grained security. 这是粗糙的安全性。 What if two users both have the same roles, but some content of the same page should only be visible to user "John" for example? 如果两个用户都具有相同的角色,但同一页面的某些内容应仅对用户“John”可见,那该怎么办? Or a totally different page should be shown to "John"? 或者应该向“John”显示一个完全不同的页面? I have many questions un-answered around this so it would be nice if somebody could provide some links/explanations or books that cover this as well. 我有很多问题没有得到解答,所以如果有人可以提供一些链接/解释或书籍也很好。 I need more fine grained security control. 我需要更精细的安全控制。
4 个解决方案
解决方案1
25 已采纳 2012-04-17 20:39:43
The fine-grained security features you're hoping for not only exist , Oracle even has a useful blog post covering the subject in detail , complete with sample code. 您希望不仅存在细粒度的安全功能,Oracle甚至还有一篇有用的博客文章,详细介绍了该主题 ,并附有示例代码。
And because it would be terse and impolite of me to simply link the docs and run, what follows is a bit of discussion on how this goes together to the best of my understanding. 因为简单地链接文档和运行对我来说是简洁和不礼貌的,接下来是关于如何根据我的理解将这种方式结合起来的一些讨论。
The 0th problem: rough-grained, declarative security 第0个问题:粗粒度,声明性安全性
The biggest problem with declarative security is it forces you to iteratively define all of your user roles at design time. 声明性安全性的最大问题是它迫使您在设计时迭代地定义所有用户角色。 This is extremely undesirable for two reasons: first, it fails to properly abstract your security model away from your implementation (failing to adequately future-proof your application and opening the door to information disclosure vulnerabilities), and second, it tethers your user roles to the immediate design of your application, routinely failing to provide fine-grained permissions or ACLs when they're desired or necessary. 出于以下两个原因,这是非常不受欢迎的:首先,它无法正确地将您的安全模型从您的实现中抽象出来(未能充分证明您的应用程序并打开信息泄露漏洞的大门),其次,它将您的用户角色束缚到应用程序的直接设计,通常无法在需要或必要时提供细粒度权限或ACL 。
In effect, this is a problem of insufficient abstraction. 实际上,这是一个抽象不足的问题。 You're using a system that immediately meets your current needs, but not one that you can expect to be workable or maintainable over the life cycle of your application, as roles become more complex and the complexity of your code base steadily increases. 您正在使用一个能够立即满足您当前需求的系统,但不能在应用程序的生命周期内实现可行或可维护的系统,因为角色变得更加复杂,代码库的复杂性也会不断增加。
Fine-grained security using Managed Beans 使用Managed Beans的细粒度安全性
The first-order solution here is to use an abstraction model that allows you to define user roles independently in the context of each JSF method call, allowing you to swap them in or out as needed. 这里的一阶解决方案是使用抽象模型,该模型允许您在每个JSF方法调用的上下文中独立定义用户角色,允许您根据需要交换它们。 As a bonus, this allows you to define finer-grained permissions, as such a scheme allows you to define your permissions per method instead of per view, per endpoint, or per bean. 作为奖励,这允许您定义更细粒度的权限,因为这样的方案允许您定义每个方法的权限,而不是每个视图,每个端点或每个bean。 And if the roles change? 如果角色改变了? You only need to update your permissions model in a single location, instead of going to each of those beans and swapping out their user definitions. 您只需要在一个位置更新权限模型,而不是转到每个bean并交换其用户定义。
The aforelinked article goes into far more detail than I'm willing to cover here, so I highly recommend reading the blog post. 上面提到的文章比我愿意在这里介绍的更详细,所以我强烈推荐阅读博客文章。 But the takeaway here is, to do this properly , you should provide both an authentication stack and an annotation layer detailing permission roles, and the twain shall only meet where you've explicitly and deliberately connected the two. 但这里的外卖是, 正确地做到这一点,你应该同时提供认证堆栈和注释层,其中详述权限角色,和你到哪儿去特意明确地连接两个吐温应仅能满足。
Defining fine-grained method calls and a security policy that makes sense is left as an exercise for the reader, but if you have questions in this area, feel free to ask them in the comments or in a set of follow-up questions, as these questions are inherently useful to a wide audience. 定义细粒度的方法调用和有意义的安全策略留给读者练习,但如果您对此方面有疑问,请随时在评论或一系列后续问题中询问他们,如这些问题本身对广大受众有用。
Improvements 改进
It's conceivable that this solution isn't robust enough for your needs. 可以想象,这种解决方案不够强大,无法满足您的需求。 For example, if you wish to authenticate users using LDAP or Kerberos to provide a unified representation of your users and roles, this only provides a partial solution to meet your needs. 例如,如果您希望使用LDAP或Kerberos对用户进行身份验证,以提供用户和角色的统一表示,则这仅提供满足您需求的部分解决方案。 Several great resources exist in this domain, but this is otherwise left as an exercise for the reader. 在这个领域存在几个很好的 资源 ,但这是留给读者的练习。
The ultimate takeaway here is, in the perfect world, this is how your application security should be defined. 这里的最终要点是,在完美的世界中,这就是应该如何定义应用程序安全性。 Your needs may vary, and for something left at the small scale, simple, declarative security may be fine to meet your needs . 您的需求可能会有所不同,对于小规模的东西, 简单的声明性安全性可能很好,以满足您的需求 。 After all, that's why it continues to exist. 毕竟,这就是它继续存在的原因。
But, for larger applications that must meet the needs of a large number of users securely and correctly, this is the right way to go. 但是,对于必须安全正确地满足大量用户需求的大型应用程序,这是正确的方法。 It requires a bit more knowledge and overhead, but it'll save you copious amounts of time, effort, and frustration if you begin by doing it properly. 它需要更多的知识和开销,但如果你开始正确地做它,它将为你节省大量的时间,精力和挫折感。
As always, best of luck with your application. 一如既往,祝您的申请顺利。
解决方案2
9 2012-04-14 19:49:02
The simplest approach is 最简单的方法是
<h:panelGroup rendered="#{request.userPrincipal.name == 'user1'}">
<p>Content for user 1</p>
</h:panelGroup>
<h:panelGroup rendered="#{request.userPrincipal.name == 'user2'}">
<p>Content for user 2</p>
</h:panelGroup>
解决方案3
3 2012-04-18 23:33:33
Showing multiple versions of the same page is not about security (different version != links hiding), restricting access and requiring additional authorization is, I'll answer that if you dont mind. 显示同一页面的多个版本不是关于安全性(不同的版本!=链接隐藏),限制访问和需要额外的授权,我会回答,如果你不介意。
You can read about both (authentication, authorization) on JAAS page . 您可以在JAAS页面上阅读(身份验证,授权)。 It is also the best framework in my opinion. 在我看来,它也是最好的框架。 It takes some time to master but after then, it's pretty easy and you'll even realize it's not heavy-weight at all - you're not forced to use every single feature . 掌握它需要一些时间,但在那之后,它很容易,你甚至会意识到它不是重量级的 - 你不会被迫使用每一个功能 。 (just like EJB) (就像EJB一样)
JAAS can log you even using ldap or windows account, theres even support for multiple authentication steps - you can implement pass+sms login. JAAS甚至可以使用ldap或Windows帐户登录,甚至支持多个身份验证步骤 - 您可以实现pass + sms登录。 You can do that even with acegi , of course (it's just not that easy) 你当然可以用acegi做到这一点(当然不是那么容易)
Since you've already mentioned JSF, JAAS fits even better than acegi, you can annotate any backing bean with @RolesAllowed and if user session does not meet requirements, SecurityException will be thrown. 既然你已经提到过JSF,JAAS比acegi更好,你可以使用@RolesAllowed注释任何支持bean,如果用户会话不符合要求,将抛出SecurityException。 This works for servlets and beans (ejb, backing), not for jsps (however it wouldnt make much sense anyway) 这适用于servlet和bean(ejb,支持),而不适用于jsps(但无论如何它都没有多大意义)
You can read about @RolesAllowed here , but if you're already considering it, don't miss JBoss Seam Security - it's built on top of both security annotations and JAAS and it's also pretty addictive to use. 你可以在这里阅读@RolesAllowed ,但如果你已经在考虑它, 不要错过JBoss Seam Security - 它建立在安全注释和JAAS之上,它也很容易让人上瘾。 Worth of reading. 值得一读。
BTW guys: I'm not rep-whoring, just found interesting question so... feel free to fight for bounty :) 顺便说一句:伙计们:我不是骂人,只是发现有趣的问题所以......随意争取赏金:)
解决方案4
1 2012-04-16 03:58:39
Usually this kind of content will be held in the session variables. 通常这种内容将保存在会话变量中。 So you do not have to think about what user is logged in. 因此,您不必考虑用户登录的内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.