I am new to web programming, coming from a video game development background (c++), and am really starting to feel information overload. There are so many competing libraries which all pick something they don't like in some other library, and build an entirely new way of doing the same thing! I am sure there there are good reasons for this, and I don't want to complain, so I'll explain my problem.
我是网络编程的新手,来自视频游戏开发背景(c ++),我真的开始感到信息过载。有这么多竞争的图书馆都选择了一些他们不喜欢的东西,并建立了一种全新的方式来做同样的事情!我相信这有充分的理由,我不想抱怨,所以我会解释我的问题。
To ease my journey, I've decided to start learning Google App Engine + GWT + Java. I like it because it's a distributed server architecture out of the box, and I've chosen Java because of my C++ background.
为了简化我的旅程,我决定开始学习Google App Engine + GWT + Java。我喜欢它,因为它是一个开箱即用的分布式服务器架构,我选择Java是因为我的C ++背景。
To begin with I wrote little Twitter-like application because it tests various aspects of web development, namely: REST, JSON parsing/creation, AJAX comms, and HTML generation. It didn't take me too long to create a little site that allows a user to enter their name and password into page in the browser, send the data across to my app, I login on their behalf, grab their friends list, and emit it back to the client as JSON, where I parse it and display it.
首先,我编写了一些类似Twitter的应用程序,因为它测试了Web开发的各个方面,即:REST,JSON解析/创建,AJAX通信和HTML生成。创建一个允许用户在浏览器页面中输入他们的名字和密码,将数据发送到我的应用程序,代表他们登录,抓住他们的朋友列表,然后发出的小网站并不需要太长时间。它以JSON的形式返回给客户端,在那里我解析并显示它。
Pretty simple stuff.
很简单的东西。
So, the next step was that I didn't like sending the password the user has entered over the network as plain text (obviously). That got me thinking about all the plumbing I would need:
因此,下一步是我不喜欢将用户通过网络输入的密码作为纯文本发送(显然)。这让我想到了我需要的所有管道:
- Authenticate users against my own database, not Google's. (Login/Lost password/Logout)
- Enter/exit (track) a session (logged in/logged out).
- Store user data in my Google app's database.
根据我自己的数据库验证用户,而不是Google的。 (登录/忘记密码/退出)
进入/退出(跟踪)会话(登录/注销)。
将用户数据存储在我的Google应用数据库中。
All pretty standard stuff that's been around forever. Well I started looking around for a Java authentication library and there were such large, monolithic libraries with huge learning curves, and some are old or not in favour any more... I feel like a total beginner programmer all over again! I just want to have a login page! :)
所有非常标准的东西都是永远存在的。好吧,我开始四处寻找一个Java认证库,那里有如此庞大的单片库,有很多学习曲线,有些已经老了或者不再受欢迎了...我觉得我又像一个初学者程序员了!我只想要一个登录页面! :)
So then I started reading up on how the plumbing of authentication works, and there is a huge amount to take in. Apparently it's quite common for people to (insecurely) roll their own. I'd rather take a solution that exists and is solid.
所以我开始阅读认证的管道如何工作,并且有大量的内容可供使用。显然,人们(不安全地)推出自己的认证是很常见的。我宁愿采取一种存在且坚实的解决方案。
So the question becomes, what do people do about this? Twitter supports both HTTP and HTTPS, but defaults to HTTP for its REST API, does that mean people's passwords are flying around unprotected, ready to be intercepted by man-on-the-middle hacks?
所以问题就变成了,人们对此做了什么? Twitter支持HTTP和HTTPS,但默认为其REST API的HTTP,这是否意味着人们的密码在不受保护的情况下飞来飞去,准备被中间人攻击拦截?
I also looked at OAuth, which looks excellent, but it doesn't have a case for just a good old "I don't want know or care what OpenID is". Non technical people I've showed OpenID to are like "wha? I just want to put my username/password in".
我也看了OAuth,它看起来很棒,但它没有一个好的旧案例“我不想知道或关心OpenID是什么”。非技术人员我已经展示了OpenID,就像“wha?我只想把我的用户名/密码放进去”。
As a side note, has anyone had any luck with Spring.Security on Google App Engine?
作为旁注,有没有人在Google App Engine上运行Spring.Security?
Anyway, I'm ranting. I just want to know what people do (not in Python, Rails etc, but in good old Java). I'd love to have a login page like Digg, with even an option one day for OpenID :)
无论如何,我在咆哮。我只是想知道人们做了什么(不是在Python,Rails等,而是在古老的Java中)。我想拥有像Digg这样的登录页面,甚至有一天可以选择OpenID :)
Cheers, Shane
4 个解决方案
#1
I can't speak to Spring Security alongside Google App Engine, but I can say a few things about it that may be helpful.
我无法与Google App Engine一起使用Spring Security,但我可以说一些可能有用的内容。
First, it is very simple to setup, and they have good tutorials for getting it up and going. Personally, I used the pet-clinic tutorial as a guide for how to apply spring security to my project the first time. I was able to get it setup in a matter of an hour or two and had basic security using my database over a few different pages. Your mileage may vary of course, but worst case scenario you have their full fledged tutorial you can poke and prod to see how it reacts.
首先,它的设置非常简单,并且它们有很好的教程可以帮助它完成。就个人而言,我使用宠物诊所教程作为第一次如何将弹簧安全性应用于我的项目的指南。我能够在一两个小时内完成设置,并在几个不同的页面上使用我的数据库进行基本的安全性。你的里程可能会有所不同,但最糟糕的情况是你有完整的教程,你可以戳戳并刺激它看看它是如何反应的。
Secondly, the library is very configurable. If you search through the manual you'll get a good idea of the things you can do, and I had no problems reworking the areas I needed to change for my project. I have confidence that you should be able to work those Spring Security and Google App Engine together. In general I have been pleased with the Spring source's foresight and ability to interact with other libraries.
其次,库是非常可配置的。如果你仔细阅读手册,你会很清楚你可以做的事情,我没有问题,我需要为我的项目改变我需要改变的区域。我相信您应该能够将这些Spring Security和Google App Engine一起工作。总的来说,我对Spring源的远见和与其他库交互的能力感到满意。
Finally, Spring Security supports OpenID if that's something you decide you want to layer in. I haven't played with this portion yet, but from the tutorial it also looks pretty intuitive. The nice thing here, is that you should be able to add that after the fact if it turns out that you should have supported OpenID after all.
最后,Spring Security支持OpenID,如果这是你决定要插入的内容。我还没有使用过这个部分,但是从教程中它看起来也非常直观。这里的好处是,如果事实证明你应该支持OpenID,那么你应该能够添加它。
I wish you the best of luck!
祝你好运!
#2
I just stumbled upon your post. You seemed (past tense since it's been a long time) to be confused about HTTP / HTTPS usage and authentication. If you are using HTTP, your password is not being bounced around in plain text. Typically, the login information is POSTed via HTTPS. By this time, a session has been established, which is tracked via a large randomly generated identifier in a cookie. The user is authenticated on the server and their id is stored in the session (stored on the server) to mark that they're signed in.
我只是偶然发现了你的帖子。您似乎(过去时态,因为已经很长时间)对HTTP / HTTPS使用和身份验证感到困惑。如果您使用的是HTTP,则密码不会以纯文本形式退回。通常,登录信息通过HTTPS进行POST。此时,已建立会话,该会话通过cookie中的大型随机生成的标识符进行跟踪。用户在服务器上进行身份验证,并将其ID存储在会话中(存储在服务器上)以标记他们已登录。
From that point onwards, the user is tracked via the session. Yes it's possible that a man-in-the-middle could hijack the cookie and assume your identity. This is the case for 100% of sites that work over HTTP but it clearly is just not a problem or you'd hear more about it. For HTTPS, the session cookie can be marked as secure, meaning that it will only ever be sent via HTTPS from the browser. In the past, I've found that browsers behave differently, sometimes sharing the same value for a secure and non-secure same-named cookie (which is a dumb idea). Your best bet is to use a separately named secure cookie to ensure the user is logged in for secure functions on your website.
从那时起,通过会话跟踪用户。是的,中间人可能会劫持cookie并假设你的身份。对于100%通过HTTP工作的网站来说就是这种情况,但显然这不是问题,或者您会听到更多关于它的信息。对于HTTPS,会话cookie可以标记为安全,这意味着它只会通过HTTPS从浏览器发送。在过去,我发现浏览器的行为方式不同,有时为安全且不安全的同名cookie共享相同的值(这是一个愚蠢的想法)。您最好的选择是使用单独命名的安全cookie,以确保用户登录您的网站上的安全功能。
I agree with you that the JAAS framework is plain awful. It must have been written by a bunch of deranged lunatics with no common sense.
我同意你的观点,JAAS框架非常糟糕。它一定是由一群没有常识的疯狂疯子写的。
As for using Google App Engine - they will take care of all the authentication for you. It looks like you have no choice but to use Google Accounts which is a shame. It's also a shame that they insist that you redirect to their login page because this breaks the way a GWT app works. I'm currently looking into managing my own accounts because I don't want google to own them and I don't want that disjointed experience on my site.
至于使用Google App Engine,他们会为您处理所有身份验证。您似乎别无选择,只能使用Google帐户,这是一种耻辱。同样令人遗憾的是,他们坚持要求您重定向到他们的登录页面,因为这会打破GWT应用程序的工作方式。我目前正在考虑管理自己的帐户,因为我不希望谷歌拥有它们,我不希望在我的网站上有这种脱节的体验。
However, it seems impossible to track a user without a session (Sessions can be supported in GAE but are strongly discouraged to promote scalability in GAE). Without a session I literally do need to send the password and authenticate the user with every RPC request. Google are pulling some tricks to make the getUserPrincipal() method work across their server clusters - and it seems you only get that magic if you go with Google Accounts.
但是,在没有会话的情况下跟踪用户似乎是不可能的(在GAE中可以支持会话,但强烈建议不要在GAE中提升可扩展性)。如果没有会话,我确实需要发送密码并使用每个RPC请求对用户进行身份验证。 Google正在采取一些措施让getUserPrincipal()方法在他们的服务器集群中运行 - 而且如果你使用Google帐户,你似乎只会获得魔力。
Maybe I'm missing something, but the Google docs just skim over this gaping hole :(
也许我错过了一些东西,但Google文档只是略过了这个漏洞:(
#3
hey there, if you wanna work with java you might wanna look into WICKET ... thats a pretty neat java-framework that offers a great deal. it is component-oriented and through the examples pretty easy to understand (see the login-example on the extended example page ... I got it running pretty fast). it also works with other js-frameworks, but also offers its own ajax-implementation. it also has a great mailing-list!
嘿那里,如果你想使用java,你可能想看看WICKET ...这是一个非常巧妙的java框架,提供了很多。它是面向组件的,并且通过示例非常容易理解(请参阅扩展示例页面上的登录示例...我运行得非常快)。它也适用于其他js框架,但也提供自己的ajax实现。它还有一个很棒的邮件列表!
#4
I'm trying to do the same using servlet's security-constraint element. In my application basic/digest auth under https is fine.
我正在尝试使用servlet的security-constraint元素做同样的事情。在我的应用程序中,https下的basic / digest auth很好。
In the next day I will also try to implement another application using restlet and/or JAX-RS. Both frameworks provides security hooks.
在第二天,我还将尝试使用restlet和/或JAX-RS实现另一个应用程序。两个框架都提供安全钩子。
Enter/exit (track) a session (logged in/logged out).
进入/退出(跟踪)会话(登录/注销)。
this can be easily implemented using a servlet filter (again, fully supported by GAE)
这可以使用servlet过滤器轻松实现(同样,GAE完全支持)
As a side note, has anyone had any luck with Spring.Security on Google App Engine?
作为旁注,有没有人在Google App Engine上运行Spring.Security?
spring security is supported
支持弹簧安全性
#1
I can't speak to Spring Security alongside Google App Engine, but I can say a few things about it that may be helpful.
我无法与Google App Engine一起使用Spring Security,但我可以说一些可能有用的内容。
First, it is very simple to setup, and they have good tutorials for getting it up and going. Personally, I used the pet-clinic tutorial as a guide for how to apply spring security to my project the first time. I was able to get it setup in a matter of an hour or two and had basic security using my database over a few different pages. Your mileage may vary of course, but worst case scenario you have their full fledged tutorial you can poke and prod to see how it reacts.
首先,它的设置非常简单,并且它们有很好的教程可以帮助它完成。就个人而言,我使用宠物诊所教程作为第一次如何将弹簧安全性应用于我的项目的指南。我能够在一两个小时内完成设置,并在几个不同的页面上使用我的数据库进行基本的安全性。你的里程可能会有所不同,但最糟糕的情况是你有完整的教程,你可以戳戳并刺激它看看它是如何反应的。
Secondly, the library is very configurable. If you search through the manual you'll get a good idea of the things you can do, and I had no problems reworking the areas I needed to change for my project. I have confidence that you should be able to work those Spring Security and Google App Engine together. In general I have been pleased with the Spring source's foresight and ability to interact with other libraries.
其次,库是非常可配置的。如果你仔细阅读手册,你会很清楚你可以做的事情,我没有问题,我需要为我的项目改变我需要改变的区域。我相信您应该能够将这些Spring Security和Google App Engine一起工作。总的来说,我对Spring源的远见和与其他库交互的能力感到满意。
Finally, Spring Security supports OpenID if that's something you decide you want to layer in. I haven't played with this portion yet, but from the tutorial it also looks pretty intuitive. The nice thing here, is that you should be able to add that after the fact if it turns out that you should have supported OpenID after all.
最后,Spring Security支持OpenID,如果这是你决定要插入的内容。我还没有使用过这个部分,但是从教程中它看起来也非常直观。这里的好处是,如果事实证明你应该支持OpenID,那么你应该能够添加它。
I wish you the best of luck!
祝你好运!
#2
I just stumbled upon your post. You seemed (past tense since it's been a long time) to be confused about HTTP / HTTPS usage and authentication. If you are using HTTP, your password is not being bounced around in plain text. Typically, the login information is POSTed via HTTPS. By this time, a session has been established, which is tracked via a large randomly generated identifier in a cookie. The user is authenticated on the server and their id is stored in the session (stored on the server) to mark that they're signed in.
我只是偶然发现了你的帖子。您似乎(过去时态,因为已经很长时间)对HTTP / HTTPS使用和身份验证感到困惑。如果您使用的是HTTP,则密码不会以纯文本形式退回。通常,登录信息通过HTTPS进行POST。此时,已建立会话,该会话通过cookie中的大型随机生成的标识符进行跟踪。用户在服务器上进行身份验证,并将其ID存储在会话中(存储在服务器上)以标记他们已登录。
From that point onwards, the user is tracked via the session. Yes it's possible that a man-in-the-middle could hijack the cookie and assume your identity. This is the case for 100% of sites that work over HTTP but it clearly is just not a problem or you'd hear more about it. For HTTPS, the session cookie can be marked as secure, meaning that it will only ever be sent via HTTPS from the browser. In the past, I've found that browsers behave differently, sometimes sharing the same value for a secure and non-secure same-named cookie (which is a dumb idea). Your best bet is to use a separately named secure cookie to ensure the user is logged in for secure functions on your website.
从那时起,通过会话跟踪用户。是的,中间人可能会劫持cookie并假设你的身份。对于100%通过HTTP工作的网站来说就是这种情况,但显然这不是问题,或者您会听到更多关于它的信息。对于HTTPS,会话cookie可以标记为安全,这意味着它只会通过HTTPS从浏览器发送。在过去,我发现浏览器的行为方式不同,有时为安全且不安全的同名cookie共享相同的值(这是一个愚蠢的想法)。您最好的选择是使用单独命名的安全cookie,以确保用户登录您的网站上的安全功能。
I agree with you that the JAAS framework is plain awful. It must have been written by a bunch of deranged lunatics with no common sense.
我同意你的观点,JAAS框架非常糟糕。它一定是由一群没有常识的疯狂疯子写的。
As for using Google App Engine - they will take care of all the authentication for you. It looks like you have no choice but to use Google Accounts which is a shame. It's also a shame that they insist that you redirect to their login page because this breaks the way a GWT app works. I'm currently looking into managing my own accounts because I don't want google to own them and I don't want that disjointed experience on my site.
至于使用Google App Engine,他们会为您处理所有身份验证。您似乎别无选择,只能使用Google帐户,这是一种耻辱。同样令人遗憾的是,他们坚持要求您重定向到他们的登录页面,因为这会打破GWT应用程序的工作方式。我目前正在考虑管理自己的帐户,因为我不希望谷歌拥有它们,我不希望在我的网站上有这种脱节的体验。
However, it seems impossible to track a user without a session (Sessions can be supported in GAE but are strongly discouraged to promote scalability in GAE). Without a session I literally do need to send the password and authenticate the user with every RPC request. Google are pulling some tricks to make the getUserPrincipal() method work across their server clusters - and it seems you only get that magic if you go with Google Accounts.
但是,在没有会话的情况下跟踪用户似乎是不可能的(在GAE中可以支持会话,但强烈建议不要在GAE中提升可扩展性)。如果没有会话,我确实需要发送密码并使用每个RPC请求对用户进行身份验证。 Google正在采取一些措施让getUserPrincipal()方法在他们的服务器集群中运行 - 而且如果你使用Google帐户,你似乎只会获得魔力。
Maybe I'm missing something, but the Google docs just skim over this gaping hole :(
也许我错过了一些东西,但Google文档只是略过了这个漏洞:(
#3
hey there, if you wanna work with java you might wanna look into WICKET ... thats a pretty neat java-framework that offers a great deal. it is component-oriented and through the examples pretty easy to understand (see the login-example on the extended example page ... I got it running pretty fast). it also works with other js-frameworks, but also offers its own ajax-implementation. it also has a great mailing-list!
嘿那里,如果你想使用java,你可能想看看WICKET ...这是一个非常巧妙的java框架,提供了很多。它是面向组件的,并且通过示例非常容易理解(请参阅扩展示例页面上的登录示例...我运行得非常快)。它也适用于其他js框架,但也提供自己的ajax实现。它还有一个很棒的邮件列表!
#4
I'm trying to do the same using servlet's security-constraint element. In my application basic/digest auth under https is fine.
我正在尝试使用servlet的security-constraint元素做同样的事情。在我的应用程序中,https下的basic / digest auth很好。
In the next day I will also try to implement another application using restlet and/or JAX-RS. Both frameworks provides security hooks.
在第二天,我还将尝试使用restlet和/或JAX-RS实现另一个应用程序。两个框架都提供安全钩子。
Enter/exit (track) a session (logged in/logged out).
进入/退出(跟踪)会话(登录/注销)。
this can be easily implemented using a servlet filter (again, fully supported by GAE)
这可以使用servlet过滤器轻松实现(同样,GAE完全支持)
As a side note, has anyone had any luck with Spring.Security on Google App Engine?
作为旁注,有没有人在Google App Engine上运行Spring.Security?
spring security is supported
支持弹簧安全性