我有一个 webapp,前端有 angularJS,后端有 Java。 Angular 通过 Restful web 服务与 java 后端通信,通过 HTTP 消费和发送 JSON。我需要为此应用程序构建身份验证机制,并且想知道最好的方法是什么,目前我正在使用基于 JAAS 的身份验证(JDBC 用户表)。这是我的应用程序的配置方式:
我的 web.xml 配置有:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>userauth</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<display-name>ConstraintSSL</display-name>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/checkout/*</url-pattern>
<url-pattern>/login/*</url-pattern>
<url-pattern>/login.*</url-pattern>
<url-pattern>/account/*</url-pattern>
<url-pattern>/ad/create</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>ConstraintUser</display-name>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<description/>
<url-pattern>/account/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ADMINISTRATORS</role-name>
<role-name>USERS</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>USERS</role-name>
</security-role>
<security-role>
<description/>
<role-name>ADMINISTRATORS</role-name>
</security-role>
<session-config>
<session-timeout>30</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<welcome-file-list>
<welcome-file>init.html</welcome-file>
</welcome-file-list>
init.html 仅重定向到 index.html 页面,该页面加载 Angular 并启动实际应用。
现在这是我的 UserController,它在客户端(浏览器)处理与用户相关的事件:
myControllers.controller('UserController', ['$scope', '$routeParams', 'UserService',
function($scope, $routeParams, UserService) {
$scope.logged = false;
// if User is not detected by cookie
$scope.user = fetchUserFromCookie();
if (! $scope.user) {
// set default guest user
$scope.user = {
firstName : 'guest',
lastName : 'user',
preferredCurrency : "USD$",
sessionHash: "XXXXXX",
shoppingCart : {
totalItems : 0,
total : 0
}
};
}
$scope.login = function(userName, pass) {
$scope.user = UserService.login(userName, pass);
$scope.logged = true;
};
$scope.logout = function(userName) {
$scope.user = UserService.logout(userName); // warn server side you're logging out
$scope.logged = false;
$scope.user = null;
};
}]);
我的目标是提供一个具有基于 JAAS 的 JDBC 身份验证的登录页面,并且只允许那些具有特定 ADMIN Angular 色或 USER Angular 色的用户查看特定页面,如何在基于 angularJS + Java 的应用程序中实现这一点?
我主要关心的是 session 跟踪,
如何跟踪特定用户已授予访问权限并有权更改特定记录?
如何防止手动黑客攻击,例如手动更改 JS 代码或更改 Cookie 以劫持用户 session ?
最佳答案
- index.html 页面应该在 html 中包含 token 以避免 CSRF
- token 不应存储在 cookie 存储中
- 每个请求都应使用 header 参数进行签名
- 服务器应通过传递的 header 验证每个请求
- 如果必须使用 cookie,您应该验证 referer 以防止 CSRF
关于javascript - 如何集成基于 angularjs 和 java jaas 的身份验证?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/24129848/