Java 如何在 Web 应用程序中实现 HTTPS 登录页面?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1454021/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to implement a HTTPS login page in a web application?
提问by
I want to create a secure login/logout mechanism. I started reading the following articles to get an idea of things to take into account:
我想创建一个安全的登录/注销机制。我开始阅读以下文章以了解需要考虑的事项:
These articles make some good points, but I was thinking in using HTTPS in a similar way as the Yahoo mail login page. You know... you type http://mail.yahoo.comand you are redirected to a HTTPS page like **https://**login.yahoo.com/config/login where you insert your username and password and after your credentials are verified you are redirected back to a HTTP page with a generated session_idcookie and all communications from there on are on HTTP using the cookie.
这些文章提出了一些很好的观点,但我想以与 Yahoo 邮件登录页面类似的方式使用 HTTPS。你知道...你输入http://mail.yahoo.com并且你被重定向到一个像 **https://**login.yahoo.com/config/login 这样的 HTTPS 页面,你在其中插入你的用户名和密码,然后在验证您的凭据后,您将被重定向回带有生成的session_idcookie的 HTTP 页面,并且从那里开始的所有通信都使用 cookie 在 HTTP 上进行。
What do I need to implement this behavior?
我需要什么来实现这种行为?
I want to do this for two Java web apps (one with Spring framework and one with Struts 1) but don't know exactly how to integrate that HTTPS part into the application (I have never worked with HTTPS before).
我想为两个 Java Web 应用程序(一个使用 Spring 框架,一个使用 Struts 1)执行此操作,但不知道如何将该 HTTPS 部分集成到应用程序中(我以前从未使用过 HTTPS)。
采纳答案by kgiannakakis
First of all you need to enable SSL for your server. For Tomcat you need to generate an openSSL keystore and add the following connector to server.xml:
首先,您需要为您的服务器启用 SSL。对于 Tomcat,您需要生成一个 openSSL 密钥库并将以下连接器添加到 server.xml:
<Connector port="8443" scheme="https" secure="true" SSLEnabled="true"
keystoreFile="mykeystore" sslProtocol="TLS"
keystorePass="keystore password" />
To integrate SSL into your application I recommend Spring Security. It offers exactly what you want (login over HTTPS, then redirected to HTTP). All you have to do to implement it, is to set forceHTTPS to true:
要将 SSL 集成到您的应用程序中,我建议使用 Spring Security。它提供了您想要的东西(通过 HTTPS 登录,然后重定向到 HTTP)。要实现它,您所要做的就是将 forceHTTPS 设置为 true:
<bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/pages/login.jsp" />
<property name="forceHttps" value="true"/>
</bean>
Of course Spring and Spring security do have a rather steep learning curve, but it is totally worth it. Do it once and then you can apply it to new apps in less than an hour. You can use Spring Security in both the Spring and Struts application.
当然 Spring 和 Spring 安全确实有一个相当陡峭的学习曲线,但它是完全值得的。做一次,然后你可以在不到一个小时的时间内将它应用到新的应用程序中。您可以在 Spring 和 Struts 应用程序中使用 Spring Security。
Spring security used to be Acegi security. This is an articlethat will get you started.
回答by UpTheCreek
Not sure about any Java or spring specifics, but in general:
不确定任何 Java 或 spring 细节,但总的来说:
1) Set up an SSL cert on your server.
1) 在您的服务器上设置 SSL 证书。
2) Forward or Link to an absolute URL (with https:// at the beginning) when going to login page
2)进入登录页面时转发或链接到绝对URL(以https://开头)
3) Forward to an absolute URL (with http://) after successful authentication.
3) 认证成功后转发到绝对 URL(带 http://)。
4) Include a check in the login page code to only accept https connections.
4) 在登录页面代码中勾选只接受 https 连接。
Of course there may be framework specific ways of doing the http/https redirect without resorting to explicitly specifying the full URL.
当然,可能有框架特定的方法来执行 http/https 重定向,而无需明确指定完整的 URL。
回答by Serge Bogatyrev
@see Acegi (spring security)
@see Acegi(春季安全)
I think it provides all required components. For example it supports login via https. There is a good reference. How to get https login you can read here. I think you should read all.
我认为它提供了所有必需的组件。例如,它支持通过 https 登录。有很好的参考。如何获得 https 登录,您可以在此处阅读。我认为你应该阅读所有内容。
回答by laz
I'd recommend investigating a single sign-on solution of some sort. A quick search in Google yields JOSSO, Open SSO, and CAS, among others. I've worked a little bit with CAS before and had some positive experiences with it. Spring Security also has support built in to work with CAS.
我建议研究某种单点登录解决方案。在 Google 中快速搜索会产生JOSSO、Open SSO和CAS等。我之前曾与 CAS 合作过,并有一些积极的经验。Spring Security 还内置了与 CAS 一起使用的支持。
回答by Klathzazt
Load for secure pages a script to check the token.
为安全页面加载脚本以检查令牌。
at top of your script:
在您的脚本顶部:
if(!getSecurityToken()) // 1
redirect(login_page)
if(!checkToken(token)) // 2
redirect(login_page)
The login page should set the secure token and create a session, which would then be passed in the request. The server keeps track of which session owns which token. For implementing the server you must implement for your scripts the checkToken method. The token should be saved in cookies or else in someway saved in the page (for subsequent requests).
登录页面应该设置安全令牌并创建一个会话,然后将在请求中传递。服务器跟踪哪个会话拥有哪个令牌。为了实现服务器,您必须为脚本实现 checkToken 方法。令牌应保存在 cookie 中或以其他方式保存在页面中(用于后续请求)。
When a request is made to the server it must contain the token, or else will fail redirect (1).
当向服务器发出请求时,它必须包含令牌,否则重定向 (1) 将失败。
When the users session expires (by logout or timeout) then the mapping in the server will no longer exist (session id to token id) and thus any new requests with the token will be invalid and cause a redirect(2).
当用户会话过期(通过注销或超时)时,服务器中的映射将不再存在(会话 ID 到令牌 ID),因此任何带有令牌的新请求都将无效并导致重定向(2)。
回答by user793953
This post has an interesting solution:
这篇文章有一个有趣的解决方案:
http://forum.springsource.org/archive/index.php/t-65651.html
http://forum.springsource.org/archive/index.php/t-65651.html
The guy used a filter to keep the session active during the switch (https - http)
这家伙使用过滤器在切换期间保持会话处于活动状态(https - http)
It worked for me!
它对我有用!
