编程语言
首页 > 编程语言> > javascript-如何集成基于angularjs和java jaas的身份验证?

javascript-如何集成基于angularjs和java jaas的身份验证?

作者:互联网

我有一个webapp,在前端有angularJS,在背面有Java. Angular通过Restful Web服务与Java后端进行通信,该服务通过HTTP消耗并发送JSON.我需要为此应用程序构建身份验证机制,并且想知道哪种方法是最好的方法,目前我正在使用基于JAAS的身份验证(JDBC用户表).这是我的应用程序的配置方式:

我的web.xml配置具有:

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>userauth</realm-name>
        <form-login-config>
            <form-login-page>/login.html</form-login-page>
            <form-error-page>/loginError.html</form-error-page>
        </form-login-config>                
    </login-config>

    <security-constraint>   
        <display-name>ConstraintSSL</display-name>
        <web-resource-collection>
            <web-resource-name>protected</web-resource-name>
            <description/>
            <url-pattern>/checkout/*</url-pattern>
            <url-pattern>/login/*</url-pattern>
            <url-pattern>/login.*</url-pattern>
            <url-pattern>/account/*</url-pattern>
            <url-pattern>/ad/create</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>

        <user-data-constraint>        
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>        
    </security-constraint>

    <security-constraint>   
        <display-name>ConstraintUser</display-name>
        <web-resource-collection>
            <web-resource-name>user</web-resource-name>
            <description/>
            <url-pattern>/account/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>       
            <description/>
            <role-name>ADMINISTRATORS</role-name>
            <role-name>USERS</role-name>
        </auth-constraint>

        <user-data-constraint>        
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>        
    </security-constraint>

    <security-role>
        <description/>
        <role-name>USERS</role-name>
    </security-role>
    <security-role>
        <description/>
        <role-name>ADMINISTRATORS</role-name>
    </security-role>

  <session-config>
    <session-timeout>30</session-timeout>
    <tracking-mode>COOKIE</tracking-mode>
  </session-config>

   <welcome-file-list>
    <welcome-file>init.html</welcome-file>
   </welcome-file-list>

init.html仅重定向到index.html页面,该页面加载angular并启动实际的应用程序.

现在,这里是我的UserController,它处理客户端(浏览器)上与用户相关的活动:

myControllers.controller('UserController', ['$scope', '$routeParams', 'UserService',
  function($scope, $routeParams, UserService) {
    $scope.logged = false;

    // if User is not detected by cookie
    $scope.user = fetchUserFromCookie();

    if (! $scope.user) {

        // set default guest user
        $scope.user = {         
            firstName : 'guest',
            lastName : 'user',
            preferredCurrency : "USD$",
            sessionHash: "XXXXXX",
            shoppingCart : {
                totalItems : 0,
                total : 0
            }           
        };      

    }

    $scope.login = function(userName, pass) {
          $scope.user = UserService.login(userName, pass);            
          $scope.logged = true;      
    };

    $scope.logout = function(userName) {
          $scope.user = UserService.logout(userName); // warn server side you're logging out
          $scope.logged = false;
          $scope.user = null;
    };

  }]);

我的目标是为登录页面提供基于JAAS的JDBC身份验证,并仅允许具有特定ADMIN角色或USER角色的用户查看特定页面,如何在基于angularJS Java的应用程序中实现此目的?

>我主要关心的是会话跟踪,
>如何跟踪特定用户已授予访问权限并有权更改特定记录?
>如何防止手动黑客攻击,例如手动更改JS代码或更改Cookie以劫持用户会话?

解决方法:

> index.html页面应在html内包含令牌以避免CSRF
>令牌不应存储在cookie存储中
>每个请求都应使用标头参数签名
>服务器应通过传递的标头验证每个请求
>如果必须使用Cookie,则应验证引荐来源网址以防止CSRF

标签:jaas,javascript,angularjs,security,web-xml
来源: https://codeday.me/bug/20191011/1888926.html