如何集成基于angularjs和java jaas的身份验证?
如何集成基于angularjs和java jaas的身份验证?
提问于 2014-06-09 22:08:35
我有一个webapp,它的前端有angularJS,后台有Java。通过Restful与java后端进行通信,通过HTTP消费和发送JSON。我需要为这个应用程序构建身份验证机制,我想知道如何才是最好的方法,目前我正在使用基于JAAS的身份验证(JDBC用户表)。我的应用程序就是这样配置的:
我的web.xml配置有:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>userauth</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<display-name>ConstraintSSL</display-name>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/checkout/*</url-pattern>
<url-pattern>/login/*</url-pattern>
<url-pattern>/login.*</url-pattern>
<url-pattern>/account/*</url-pattern>
<url-pattern>/ad/create</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>ConstraintUser</display-name>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<description/>
<url-pattern>/account/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ADMINISTRATORS</role-name>
<role-name>USERS</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>USERS</role-name>
</security-role>
<security-role>
<description/>
<role-name>ADMINISTRATORS</role-name>
</security-role>
<session-config>
<session-timeout>30</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<welcome-file-list>
<welcome-file>init.html</welcome-file>
</welcome-file-list>init.html只重定向到一个index.html页面,该页面加载角并启动实际的应用程序。
下面是我的UserController,它处理客户端(浏览器)上与用户相关的活动:
myControllers.controller('UserController', ['$scope', '$routeParams', 'UserService',
function($scope, $routeParams, UserService) {
$scope.logged = false;
// if User is not detected by cookie
$scope.user = fetchUserFromCookie();
if (! $scope.user) {
// set default guest user
$scope.user = {
firstName : 'guest',
lastName : 'user',
preferredCurrency : "USD$",
sessionHash: "XXXXXX",
shoppingCart : {
totalItems : 0,
total : 0
}
};
}
$scope.login = function(userName, pass) {
$scope.user = UserService.login(userName, pass);
$scope.logged = true;
};
$scope.logout = function(userName) {
$scope.user = UserService.logout(userName); // warn server side you're logging out
$scope.logged = false;
$scope.user = null;
};
}]);我的目标是提供一个基于JAAS的JDBC身份验证的登录页面,并且只允许那些具有特定管理角色或用户角色的用户查看某个页面,如何在基于angularJS + Java的应用程序中实现这一点?
- 我主要关心的是会话跟踪,
- 如何跟踪特定用户是否已授予访问权并拥有更改特定记录的权限?
- 如何防止像手动更改JS代码或更改Cookie这样的手动黑客来劫持用户会话?
回答 1
Stack Overflow用户
发布于 2015-05-24 21:38:04
- index.html页面应该在html中包含令牌,以避免CSRF。
- 令牌不应该存储在cookie存储中
- 每个请求都应该使用标头param签名。
- 服务器应该通过传递的头来验证每个请求。
- 如果必须使用cookie,则应验证引用程序以防止CSRF。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/24129848
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号