应用程序服务器如何知道用户具有什么角色?
How does an application server know what role a user has?
我不熟悉基于应用服务器的安全约束。对于以下 web.xml 示例,我看到定义的角色以及哪个角色可以访问受限资源。
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Whatever</realm-name>
</login-config>
<security-role>
<description>Administrator Role</description>
<role-name>admin</role-name>
</security-role>
<security-role>
<description>Privileged User</description>
<role-name>privileged</role-name>
</security-role>
<security-role>
<description>Guest User</description>
<role-name>guest</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Privileged area</web-resource-name>
<url-pattern>/restricted/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>privileged</role-name>
</auth-constraint>
</security-constraint>
当用户第一次发出 http 请求访问受限页面时,他们没有角色并请求用户 name/password。容器可以根据数据库验证用户名并为用户分配一个角色(例如管理员)。容器将这个角色存储在哪里,以便对于后续的 http 请求,它知道该请求具有访问资源的适当角色?
它存储在Web 容器中的HTTP Session 中。通常,客户端会在第一次向服务器发出请求时收到一个会话 ID(通常以 cookie 的形式,但并非必须如此)——或者在其前一个会话过期后向服务器发出的第一次请求。然后,客户端将在后续请求中发送该会话 ID。客户端通过身份验证后,其安全上下文将存储在与会话 ID 关联的 HTTP 会话中。
流程看起来像这样:
Client: Hi, I'd like to access your service.
Server: Ok, who are you?
Client: I'm Bob, and this is my password. (sends credentials - doesn't have to be basic auth with username/password)
Server: Hi Bob - here's your ID card for your stay. It expires after 30 minutes of inactivity. Enjoy! (Sends session ID)
Client: Cool, I'd like to access resource XYZ. Here's my ID. (Sends session ID)
Server: No problem - we've checked the registry and determined that you are in a group that has permission to access XYZ. Enjoy!
我不熟悉基于应用服务器的安全约束。对于以下 web.xml 示例,我看到定义的角色以及哪个角色可以访问受限资源。
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Whatever</realm-name>
</login-config>
<security-role>
<description>Administrator Role</description>
<role-name>admin</role-name>
</security-role>
<security-role>
<description>Privileged User</description>
<role-name>privileged</role-name>
</security-role>
<security-role>
<description>Guest User</description>
<role-name>guest</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Privileged area</web-resource-name>
<url-pattern>/restricted/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>privileged</role-name>
</auth-constraint>
</security-constraint>
当用户第一次发出 http 请求访问受限页面时,他们没有角色并请求用户 name/password。容器可以根据数据库验证用户名并为用户分配一个角色(例如管理员)。容器将这个角色存储在哪里,以便对于后续的 http 请求,它知道该请求具有访问资源的适当角色?
它存储在Web 容器中的HTTP Session 中。通常,客户端会在第一次向服务器发出请求时收到一个会话 ID(通常以 cookie 的形式,但并非必须如此)——或者在其前一个会话过期后向服务器发出的第一次请求。然后,客户端将在后续请求中发送该会话 ID。客户端通过身份验证后,其安全上下文将存储在与会话 ID 关联的 HTTP 会话中。 流程看起来像这样:
Client: Hi, I'd like to access your service.
Server: Ok, who are you?
Client: I'm Bob, and this is my password. (sends credentials - doesn't have to be basic auth with username/password)
Server: Hi Bob - here's your ID card for your stay. It expires after 30 minutes of inactivity. Enjoy! (Sends session ID)
Client: Cool, I'd like to access resource XYZ. Here's my ID. (Sends session ID)
Server: No problem - we've checked the registry and determined that you are in a group that has permission to access XYZ. Enjoy!