问一个webapp authentication的implementation - Java版

本页内容为未名空间相应帖子的节选和存档，一周内的贴子最多显示50字，超过一周显示500字访问原贴

Java版 - 问一个webapp authentication的implementation

相关主题
● 一个server如果想把一些api作为public，一些作为private，一般都有什么办法？	● A question with JSP. Thans for help.
● How do I read browser cookies from a servlet?(FAQ)	● help pls. on installation of svn via eclipse
● HTTP interview question	● 有用jdeveloper的吗？
● 不明白servlet, applet到底啥区别，还有jsp	● help on some J2ee questions
● 工作中建一个很小的网站，用什么好？	● 一个Java程序员的话(4)--续第一章
● asp.net现在的mvc模式，很象java当年在servlet里面的doGet(),doPost()里写html code.	● 一个servlet问题
● Anybody familiar with Sun(Netscape) Directory Server? (转载)	● 求助！Tomcat下设置servlets的问题
● 求助： ldap的ssl connection	● Tomcat Servlet: synchronized vs non-synchronized methods

相关话题的讨论汇总
话题: security话题: password话题: server话题: ldap

进入Java版参与讨论

(共1页)

w*r
发帖数: 2421

A
-App Server: Apache Geronimo 2.2
简单的Web Application需要LDAP authentication user (no authorization needed).
Web app里面的一些功能牵涉到用户用自己的username去login到database. Database
is default to ldap authentication also.
所以我想在user login page 的时候把password记在session variable里面，这样用户
就不用再次输入密码用户名了
logon page

g*****g
发帖数: 34805

Check spring security, it has an LDAP example. It's not a good idea to keep
password in session. You should pull out all information you need from LDAP,
and cache them.

).
Database
passwor

【在 w*r 的大作中提到】

: A
: -App Server: Apache Geronimo 2.2
: 简单的Web Application需要LDAP authentication user (no authorization needed).
: Web app里面的一些功能牵涉到用户用自己的username去login到database. Database
: is default to ldap authentication also.
: 所以我想在user login page 的时候把password记在session variable里面，这样用户
: 就不用再次输入密码用户名了
: logon page
:

M***0
发帖数: 1180

我今天也在研究怎么多加一个j_company
下班前搜到这个
http://stackoverflow.com/questions/1629273/is-it-possible-to-se
还没时间研究

s******e
发帖数: 493

Never user this server. but it seems that you want to use server built-in
security. Not sure which spec Apache Geronimo 2.2 is using. did you try
request.getUserPrincipal() to see if it is helpful if you have mapped your
principals.
Also is there any way for you to get login context or info from server?
I will be surprised if any server doesn't provide a hook for you to get user
security info. Even you can get those info, i am not sure if it contains
user password. for me, it is kind of security bleach if you can get it from
server in this way.

).
Database
passwor

【在 w*r 的大作中提到】

w*r
发帖数: 2421

看来我的requirement 没有写清楚
这样说吧：
Webapp security: LDAP realm
Servlet To DB connection: standard JDBC, however, requires each user to
logon to database using his/her own credential. (username/password)
因为 DB 端接收的是LDAP also, 所以实际上user's username password to web app's
authentication are the same as username/pwd login to database.
所以我只需要在user login form submit authenticate成功之后（或者之前）把
password记下来，这样用户在执行DB操作的时候就不需要再输入用户名和密码了
有人提到了getPrincile()这样的调用，这只能返回username, 从login form里面post
的password是无法得到的。

keep
LDAP,

【在 g*****g 的大作中提到】

: Check spring security, it has an LDAP example. It's not a good idea to keep
: password in session. You should pull out all information you need from LDAP,
: and cache them.
:
: ).
: Database
: passwor

w*r
发帖数: 2421

BTW, I do not plan to use spring at all for such small implementation. and
to keep the app simple and portable, i am using the standard form based
authentication provided by all j2EE web containers.

's
post

【在 w*r 的大作中提到】

: 看来我的requirement 没有写清楚
: 这样说吧：
: Webapp security: LDAP realm
: Servlet To DB connection: standard JDBC, however, requires each user to
: logon to database using his/her own credential. (username/password)
: 因为 DB 端接收的是LDAP also, 所以实际上user's username password to web app's
: authentication are the same as username/pwd login to database.
: 所以我只需要在user login form submit authenticate成功之后（或者之前）把
: password记下来，这样用户在执行DB操作的时候就不需要再输入用户名和密码了
: 有人提到了getPrincile()这样的调用，这只能返回username, 从login form里面post

s******e
发帖数: 493

as said, even you can get user security info, I doubt that any app server
will expose you the password if you use built-in security. It would be a
security bleach. The application server should only pass your principal
around for you to enjoy the declarative security among the different parts
of server.
Even some app servers allow you to intercept the default authentication call
for example (basic, form, digest, etc), there is no way for you to achieve
your portable goal.

t*******e
发帖数: 684

You need the right JDBC driver that is capable on windows authentication.

's
post

【在 w*r 的大作中提到】

g*****g
发帖数: 34805

Not a scalable design. DB typically can only allocate a much smaller
connection pool than your app server's thread pool. And in your case, you'll
need to create a DB connection for your every user, which will have poor
performance.
You don't want to use fine-grain access control on DB itself. Do that on app
server instead.
You may be able to get away with it if your system has low concurrency (i.e,
no more than 100 concurrent sessions). In that case, at least mask the
password.

).
Database
passwor

【在 w*r 的大作中提到】

M***0
发帖数: 1180

JAAS implementation is vendor specific
我相信每个app server都提供可扩展的类让你提取plain password
glassfish里是abstract class AppservPasswordLoginModule
里面定义了protected String _username and protected String _password
spring的UsernamePasswordAuthenticationToken有getPrincipal()和getCredentials(
)分别提取username and password
你用的app server里应该也会有同样功能的class，但app server提供的东西互相不通
用，你还得add resource to app server。用Spring反而才是same code for all
servers.
correct me if I was wrong.

【在 w*r 的大作中提到】

: BTW, I do not plan to use spring at all for such small implementation. and
: to keep the app simple and portable, i am using the standard form based
: authentication provided by all j2EE web containers.
:
: 's
: post

相关主题
● asp.net现在的mvc模式，很象java当年在servlet里面的doGet(),doPost()里写html code.	● A question with JSP. Thans for help.
● Anybody familiar with Sun(Netscape) Directory Server? (转载)	● help pls. on installation of svn via eclipse
● 求助： ldap的ssl connection	● 有用jdeveloper的吗？
进入Java版参与讨论

w*r
发帖数: 2421

这个答复靠谱，看来简单的作法就是webapp里面自己extend
LDAPAuthenticationLogingModule,然后手动干，实际上这样的requirement比较常见，
除非所有的system都kerbros,大家share一个ldap,一次sign-on不需要重复password是
一个common feature.
用spring麻烦了，自己手干一个loginModule方便一些

getCredentials(

【在 M***0 的大作中提到】

: JAAS implementation is vendor specific
: 我相信每个app server都提供可扩展的类让你提取plain password
: glassfish里是abstract class AppservPasswordLoginModule
: 里面定义了protected String _username and protected String _password
: spring的UsernamePasswordAuthenticationToken有getPrincipal()和getCredentials(
: )分别提取username and password
: 你用的app server里应该也会有同样功能的class，但app server提供的东西互相不通
: 用，你还得add resource to app server。用Spring反而才是same code for all
: servers.
: correct me if I was wrong.

w*r
发帖数: 2421

app itself is not a high concurrency OLTP app. the scalability is not a
major concern. Security requires user identify himself/herself while perform
RDBMS operation.
Backend database is currently already configured using LDAP . therefore some
trick needs to be played to achieve higher user experience of not having to
input username./pwd multiple times.

ll
app
e,

【在 g*****g 的大作中提到】

: Not a scalable design. DB typically can only allocate a much smaller
: connection pool than your app server's thread pool. And in your case, you'll
: need to create a DB connection for your every user, which will have poor
: performance.
: You don't want to use fine-grain access control on DB itself. Do that on app
: server instead.
: You may be able to get away with it if your system has low concurrency (i.e,
: no more than 100 concurrent sessions). In that case, at least mask the
: password.
:

T****U
发帖数: 3344

不同系统之间共用username/pass? 这本身就是危险的

perform
some
to

【在 w*r 的大作中提到】

: app itself is not a high concurrency OLTP app. the scalability is not a
: major concern. Security requires user identify himself/herself while perform
: RDBMS operation.
: Backend database is currently already configured using LDAP . therefore some
: trick needs to be played to achieve higher user experience of not having to
: input username./pwd multiple times.
:
: ll
: app
: e,

T****U
发帖数: 3344

自己另外做个form，采集username/pass, 然后forward to j_security_check?

).
Database
passwor

【在 w*r 的大作中提到】

g*****g
发帖数: 34805

As I said, if scalability is not a concern, you simply mask the password and
cache it in session, very simple.
Take spring security ldap example, I guess you only need to modify a few
lines of code.

perform
some
to

【在 w*r 的大作中提到】

M***r
发帖数: 79

When authentication succeed (you shall be notified by register a listener),
you store the principal(or your customized security info object) in session.
After that, you use the security principal stored in session to determine
whether user has logged in. You never store password in session!!!

(共1页)

进入Java版参与讨论

相关主题
● Tomcat Servlet: synchronized vs non-synchronized methods	● 工作中建一个很小的网站，用什么好？
● A Servlet query string question	● asp.net现在的mvc模式，很象java当年在servlet里面的doGet(),doPost()里写html code.
● 大家都是怎么自学J2EE的	● Anybody familiar with Sun(Netscape) Directory Server? (转载)
● Servlet如何Stream mp3文件？	● 求助： ldap的ssl connection
● 一个server如果想把一些api作为public，一些作为private，一般都有什么办法？	● A question with JSP. Thans for help.
● How do I read browser cookies from a servlet?(FAQ)	● help pls. on installation of svn via eclipse
● HTTP interview question	● 有用jdeveloper的吗？
● 不明白servlet, applet到底啥区别，还有jsp	● help on some J2ee questions

相关话题的讨论汇总
话题: security话题: password话题: server话题: ldap

#	版面	帖数(主题数)
-	全站	4871 (796)
1	Military	3777 (569)
2	Stock	341 (51)
3	Joke	117 (17)
4	History	116 (3)
5	Automobile	100 (9)
6	USANews	55 (9)
7	Midlife	45 (1)
8	Headline	41 (41)
9	Dreamer	33 (13)
10	FleaMarket	32 (20)
11	Living	30 (7)

boards

未名新帖统计// 7月16日

历史上的今天