使用 Java + Google App Engine 登录网站
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1000522/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Web site login in Java + Google App Engine
提问by Shane
I am new to web programming, coming from a video game development background (c++), and am really starting to feel information overload. There are so many competing libraries which all pick something they don't like in some other library, and build an entirely new way of doing the same thing! I am sure there there are good reasons for this, and I don't want to complain, so I'll explain my problem.
我是网络编程的新手,来自视频游戏开发背景 (c++),并且我真的开始感到信息过载。有这么多相互竞争的库,它们都在其他库中选择了他们不喜欢的东西,并构建了一种全新的方式来做同样的事情!我相信这是有充分理由的,我不想抱怨,所以我会解释我的问题。
To ease my journey, I've decided to start learning Google App Engine + GWT + Java. I like it because it's a distributed server architecture out of the box, and I've chosen Java because of my C++ background.
为了简化我的旅程,我决定开始学习 Google App Engine + GWT + Java。我喜欢它,因为它是一种开箱即用的分布式服务器架构,我选择 Java 是因为我的 C++ 背景。
To begin with I wrote little Twitter-like application because it tests various aspects of web development, namely: REST, JSON parsing/creation, AJAX comms, and HTML generation. It didn't take me too long to create a little site that allows a user to enter their name and password into page in the browser, send the data across to my app, I login on their behalf, grab their friends list, and emit it back to the client as JSON, where I parse it and display it.
首先,我编写了一个类似 Twitter 的小应用程序,因为它测试了 Web 开发的各个方面,即:REST、JSON 解析/创建、AJAX 通信和 HTML 生成。我很快就创建了一个小站点,允许用户在浏览器的页面中输入他们的姓名和密码,将数据发送到我的应用程序,我代表他们登录,获取他们的朋友列表,然后发出它作为 JSON 返回给客户端,在那里我解析它并显示它。
Pretty simple stuff.
很简单的东西。
So, the next step was that I didn't like sending the password the user has entered over the network as plain text (obviously). That got me thinking about all the plumbing I would need:
因此,下一步是我不喜欢将用户通过网络输入的密码作为纯文本(显然)发送。这让我想到了我需要的所有管道:
- Authenticate users against my own database, not Google's. (Login/Lost password/Logout)
- Enter/exit (track) a session (logged in/logged out).
- Store user data in my Google app's database.
- 根据我自己的数据库而不是 Google 的数据库对用户进行身份验证。(登录/丢失密码/退出)
- 进入/退出(跟踪)会话(登录/退出)。
- 将用户数据存储在我的 Google 应用程序的数据库中。
All pretty standard stuff that's been around forever. Well I started looking around for a Java authentication library and there were such large, monolithic libraries with huge learning curves, and some are old or not in favour any more... I feel like a total beginner programmer all over again! I just want to have a login page! :)
所有非常标准的东西一直存在。好吧,我开始四处寻找 Java 身份验证库,那里有如此庞大的单体库,具有巨大的学习曲线,有些库已经过时或不再受青睐……我感觉自己又变成了一个完全的初学者程序员!我只想有一个登录页面!:)
So then I started reading up on how the plumbing of authentication works, and there is a huge amount to take in. Apparently it's quite common for people to (insecurely) roll their own. I'd rather take a solution that exists and is solid.
然后我开始阅读身份验证的管道是如何工作的,并且有大量的内容。显然,人们(不安全地)自己滚动是很常见的。我宁愿采用一个存在且可靠的解决方案。
So the question becomes, what do people do about this? Twitter supports both HTTP and HTTPS, but defaults to HTTP for its REST API, does that mean people's passwords are flying around unprotected, ready to be intercepted by man-on-the-middle hacks?
那么问题就来了,人们会怎么做呢?Twitter 同时支持 HTTP 和 HTTPS,但其 REST API 默认使用 HTTP,这是否意味着人们的密码在不受保护的情况下四处传播,准备被中间人黑客拦截?
I also looked at OAuth, which looks excellent, but it doesn't have a case for just a good old "I don't want know or care what OpenID is". Non technical people I've showed OpenID to are like "wha? I just want to put my username/password in".
我还查看了 OAuth,它看起来很棒,但它没有一个案例只是一个很好的“我不想知道或关心 OpenID 是什么”。我向 OpenID 展示的非技术人员就像“哇?我只想输入我的用户名/密码”。
As a side note, has anyone had any luck with Spring.Security on Google App Engine?
附带说明一下,有人在 Google App Engine 上使用 Spring.Security 吗?
Anyway, I'm ranting. I just want to know what people do (not in Python, Rails etc, but in good old Java). I'd love to have a login page like Digg, with even an option one day for OpenID :)
反正我是在吐槽。我只想知道人们在做什么(不是在 Python、Rails 等中,而是在古老的 Java 中)。我很想有一个像 Digg 这样的登录页面,甚至有一天可以选择 OpenID :)
Cheers, Shane
干杯,谢恩
采纳答案by RC.
I can't speak to Spring Security alongside Google App Engine, but I can say a few things about it that may be helpful.
我无法与 Google App Engine 一起讨论 Spring Security,但我可以说一些可能有帮助的事情。
First, it is very simple to setup, and they have good tutorials for getting it up and going. Personally, I used the pet-clinic tutorialas a guide for how to apply spring security to my project the first time. I was able to get it setup in a matter of an hour or two and had basic security using my database over a few different pages. Your mileage may vary of course, but worst case scenario you have their full fledged tutorial you can poke and prod to see how it reacts.
首先,它的设置非常简单,而且他们有很好的教程来启动和运行。就个人而言,我第一次使用pet-clinic 教程作为指南,指导如何将 Spring Security 应用到我的项目中。我能够在一两个小时内完成设置,并且在几个不同的页面上使用我的数据库获得了基本的安全性。当然,您的里程可能会有所不同,但在最坏的情况下,您拥有完整的教程,您可以戳戳看看它是如何反应的。
Secondly, the library is very configurable. If you search through the manualyou'll get a good idea of the things you can do, and I had no problems reworking the areas I needed to change for my project. I have confidence that you should be able to work those Spring Security and Google App Engine together. In general I have been pleased with the Spring source's foresight and ability to interact with other libraries.
其次,库是非常可配置的。如果您搜索手册,您将对您可以做的事情有一个很好的了解,而且我在重新处理我需要为我的项目更改的区域时没有问题。我相信您应该能够将 Spring Security 和 Google App Engine 一起使用。总的来说,我对 Spring 源代码的远见和与其他库交互的能力感到满意。
Finally, Spring Security supports OpenID if that's something you decide you want to layer in. I haven't played with this portion yet, but from the tutorial it also looks pretty intuitive. The nice thing here, is that you should be able to add that after the fact if it turns out that you should have supported OpenID after all.
最后,Spring Security 支持 OpenID,如果这是您决定要分层的内容。我还没有玩过这部分,但从教程中它看起来也很直观。这里的好处是,如果事实证明您毕竟应该支持 OpenID,您应该能够在事后添加它。
I wish you the best of luck!
祝你好运!
回答by Alex Worden
I just stumbled upon your post. You seemed (past tense since it's been a long time) to be confused about HTTP / HTTPS usage and authentication. If you are using HTTP, your password is not being bounced around in plain text. Typically, the login information is POSTed via HTTPS. By this time, a session has been established, which is tracked via a large randomly generated identifier in a cookie. The user is authenticated on the server and their id is stored in the session (stored on the server) to mark that they're signed in.
我只是偶然发现了你的帖子。您似乎(过去时,因为已经很长时间了)对 HTTP/HTTPS 的使用和身份验证感到困惑。如果您使用的是 HTTP,则您的密码不会以纯文本形式出现。通常,登录信息是通过 HTTPS 发布的。此时,会话已建立,可通过 cookie 中随机生成的大型标识符进行跟踪。用户在服务器上进行身份验证,并且他们的 ID 存储在会话中(存储在服务器上)以标记他们已登录。
From that point onwards, the user is tracked via the session. Yes it's possible that a man-in-the-middle could hiHyman the cookie and assume your identity. This is the case for 100% of sites that work over HTTP but it clearly is just not a problem or you'd hear more about it. For HTTPS, the session cookie can be marked as secure, meaning that it will only ever be sent via HTTPS from the browser. In the past, I've found that browsers behave differently, sometimes sharing the same value for a secure and non-secure same-named cookie (which is a dumb idea). Your best bet is to use a separately named secure cookie to ensure the user is logged in for secure functions on your website.
从那时起,通过会话跟踪用户。是的,中间人可能会劫持 cookie 并假设您的身份。100% 通过 HTTP 工作的站点都是这种情况,但这显然不是问题,否则您会听到更多关于它的信息。对于 HTTPS,会话 cookie 可以标记为安全的,这意味着它只会从浏览器通过 HTTPS 发送。过去,我发现浏览器的行为不同,有时为安全和非安全的同名 cookie 共享相同的值(这是一个愚蠢的想法)。最好的办法是使用单独命名的安全 cookie 来确保用户登录以获取您网站上的安全功能。
I agree with you that the JAAS framework is plain awful. It must have been written by a bunch of deranged lunatics with no common sense.
我同意你的看法,JAAS 框架非常糟糕。一定是一群没有常识的疯子写的。
As for using Google App Engine - they will take care of all the authentication for you. It looks like you have no choice but to use Google Accounts which is a shame. It's also a shame that they insist that you redirect to their login page because this breaks the way a GWT app works. I'm currently looking into managing my own accounts because I don't want google to own them and I don't want that disjointed experience on my site.
至于使用 Google App Engine - 他们会为您处理所有身份验证。看起来您别无选择,只能使用 Google 帐户,这是一种耻辱。令人遗憾的是,他们坚持要求您重定向到他们的登录页面,因为这破坏了 GWT 应用程序的工作方式。我目前正在考虑管理我自己的帐户,因为我不希望谷歌拥有它们,而且我不希望在我的网站上出现这种脱节的体验。
However, it seems impossible to track a user without a session (Sessions can be supported in GAE but are strongly discouraged to promote scalability in GAE). Without a session I literally do need to send the password and authenticate the user with every RPC request. Google are pulling some tricks to make the getUserPrincipal() method work across their server clusters - and it seems you only get that magic if you go with Google Accounts.
然而,在没有会话的情况下跟踪用户似乎是不可能的(GAE 可以支持会话,但强烈建议不要在 GAE 中促进可伸缩性)。如果没有会话,我确实需要发送密码并使用每个 RPC 请求对用户进行身份验证。Google 正在使用一些技巧来使 getUserPrincipal() 方法在他们的服务器集群中工作 - 似乎只有使用 Google 帐户才能获得这种魔力。
Maybe I'm missing something, but the Google docs just skim over this gaping hole :(
也许我遗漏了一些东西,但 Google 文档只是略过了这个大洞:(
回答by doro
hey there, if you wanna work with java you might wanna look into WICKET... thats a pretty neat java-framework that offers a great deal. it is component-oriented and through the examples pretty easy to understand (see the login-example on the extended example page ... I got it running pretty fast). it also works with other js-frameworks, but also offers its own ajax-implementation. it also has a great mailing-list!
嘿,如果你想使用 Java,你可能想研究WICKET......这是一个非常整洁的 Java 框架,提供了很多。它是面向组件的,通过示例很容易理解(请参阅扩展示例页面上的登录示例……我让它运行得非常快)。它也适用于其他 js 框架,但也提供了自己的 ajax 实现。它还有一个很棒的邮件列表!
回答by dfa
I'm trying to do the same using servlet's security-constraint element. In my application basic/digest auth under https is fine.
我正在尝试使用 servlet 的security-constraint element做同样的事情。在我的应用程序中,https 下的基本/摘要身份验证很好。
In the next day I will also try to implement another application using restlet and/or JAX-RS. Both frameworks provides security hooks.
第二天,我还将尝试使用 restlet 和/或 JAX-RS 实现另一个应用程序。这两个框架都提供了安全钩子。
Enter/exit (track) a session (logged in/logged out).
进入/退出(跟踪)会话(登录/退出)。
this can be easily implemented using a servlet filter (again, fully supported by GAE)
这可以使用 servlet 过滤器轻松实现(同样,GAE 完全支持)
As a side note, has anyone had any luck with Spring.Security on Google App Engine?
附带说明一下,有人在 Google App Engine 上使用 Spring.Security 吗?
spring security is supported
支持弹簧安全
