标签:jaas javascript angularjs security web-xml
我有一个webapp,在前端有angularJS,在背面有Java. Angular通过Restful Web服务与Java后端进行通信,该服务通过HTTP消耗并发送JSON.我需要为此应用程序构建身份验证机制,并且想知道哪种方法是最好的方法,目前我正在使用基于JAAS的身份验证(JDBC用户表).这是我的应用程序的配置方式:
我的web.xml配置具有:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>userauth</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<display-name>ConstraintSSL</display-name>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/checkout/*</url-pattern>
<url-pattern>/login/*</url-pattern>
<url-pattern>/login.*</url-pattern>
<url-pattern>/account/*</url-pattern>
<url-pattern>/ad/create</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>ConstraintUser</display-name>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<description/>
<url-pattern>/account/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ADMINISTRATORS</role-name>
<role-name>USERS</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>USERS</role-name>
</security-role>
<security-role>
<description/>
<role-name>ADMINISTRATORS</role-name>
</security-role>
<session-config>
<session-timeout>30</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<welcome-file-list>
<welcome-file>init.html</welcome-file>
</welcome-file-list>
init.html仅重定向到index.html页面,该页面加载angular并启动实际的应用程序.
现在,这里是我的UserController,它处理客户端(浏览器)上与用户相关的活动:
myControllers.controller('UserController', ['$scope', '$routeParams', 'UserService',
function($scope, $routeParams, UserService) {
$scope.logged = false;
// if User is not detected by cookie
$scope.user = fetchUserFromCookie();
if (! $scope.user) {
// set default guest user
$scope.user = {
firstName : 'guest',
lastName : 'user',
preferredCurrency : "USD$",
sessionHash: "XXXXXX",
shoppingCart : {
totalItems : 0,
total : 0
}
};
}
$scope.login = function(userName, pass) {
$scope.user = UserService.login(userName, pass);
$scope.logged = true;
};
$scope.logout = function(userName) {
$scope.user = UserService.logout(userName); // warn server side you're logging out
$scope.logged = false;
$scope.user = null;
};
}]);
我的目标是为登录页面提供基于JAAS的JDBC身份验证,并仅允许具有特定ADMIN角色或USER角色的用户查看特定页面,如何在基于angularJS Java的应用程序中实现此目的?
>我主要关心的是会话跟踪,
>如何跟踪特定用户已授予访问权限并有权更改特定记录?
>如何防止手动黑客攻击,例如手动更改JS代码或更改Cookie以劫持用户会话?
解决方法:
> index.html页面应在html内包含令牌以避免CSRF
>令牌不应存储在cookie存储中
>每个请求都应使用标头参数签名
>服务器应通过传递的标头验证每个请求
>如果必须使用Cookie,则应验证引荐来源网址以防止CSRF
标签:jaas,javascript,angularjs,security,web-xml 来源: https://codeday.me/bug/20191011/1888926.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。