问题描述
我是Java EE开发的新手,但是我很顺利,
我对应用程序的安全性部分感到困惑。
I'm new to Java EE development however I'm going well in it,I'm a bit confused with the security part of my application.
我已经阅读了一些关于如何在Java EE Web应用程序中实现JAAS安全性的文章。这是我读到的&理解,其他人都不清楚:
I have read a few articles on how I can implement JAAS security in my Java EE web application. This is what I read & understood, all he others were unclear: http://uaihebert.com/user-login-validation-with-jaas-and-jsf/
这个例子非常好,除了它配置JBoss服务器外,我没有使用JBoss,我不打算这样做。如果我要使用JAAS,我是否需要配置我正在运行(开发)的本地Web服务器?也许有些事情我对JAAS并不是很了解?
如果我要遵循这个例子并使用JBoss并按原样配置它。当我将我的Web应用程序部署为war文件时,我上传了war文件,让我们说在tomcat服务器上,它仍然是安全的吗?
The example is great and all but it configures the JBoss server, Im not using JBoss and I'm not intending to. If I were to use JAAS do I need to configure the local web server I'm running (developing) on? Perhaps there are some things I don't really understand about JAAS?And if I were to follow that example and use JBoss and configure it as they did. when I deploy my web application as a war file, and I uploaded the war file lets say on a tomcat server, will it still be secured?
任何帮助/指导都会非常感谢!
谢谢!
Any help/guidance would be extremely appreciated!Thanks!
推荐答案
Java EE中不存在JAAS安全性。 JAAS是一个Java SE框架,用于保护类级别的资源。您可以使用它来限制您下载的代码(如Applet)可以在您的计算机上执行的操作。
JAAS security doesn't exist in Java EE. JAAS is a Java SE framework to secure resources at the class level. You use this for limiting what code that you downloaded (like Applets) can do on your computer.
使用Java EE时情况正好相反。您不下载单个用户(您在计算机上)的未知代码,但未知用户登录到您的代码(您在服务器上运行)。
With Java EE the situation is reversed. You don't download unknown code for a single user (you on your computer), but unknown users log in to your code (that you run on a server).
之所以会出现一些混淆,因为有些服务器使用术语JAAS来实现最近称为身份存储的服务器特定实现(存储用户和角色的事物,如ldap)。
Some confusion happens because a few servers use the term JAAS for the server specific implementation of what's lately called "identity stores" (the things that store users and roles like ldap).
但是:
- 只使用了一个令人尴尬的小部分JAAS(某些类型如LoginModule)
- 声称使用JAAS的服务器都以不同的方式进行,你只想知道为什么他们一开始就打扰它
- 到目前为止,并非每个服务器都使用JAAS。 Tomcat,Jetty,Resin,Liberty和WebSphere根本不使用它。
这篇关于基于Java EE的Web应用程序服务器中的JAAS安全性是否依赖?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!