sso单点登陆的web.xml的设置

最新推荐文章于 2022-08-19 17:43:38 发布
最新推荐文章于 2022-08-19 17:43:38 发布
阅读量2.7k 收藏
点赞数
分类专栏: sso web 文章标签: sso authentication basic server login security
web 同时被 2 个专栏收录
14 篇文章 0 订阅
订阅专栏
sso
1 篇文章 0 订阅
订阅专栏
  http://java.boot.by/wcd-guide/ch05s03.html
Compare and contrast the authentication types (BASIC, DIGEST, FORM, and CLIENT-CERT); describe how the type works; and given a scenario, select an appropriate type.
Prev Chapter 5. Web Application Security Next

Compare and contrast the authentication types (BASIC, DIGEST, FORM, and CLIENT-CERT); describe how the type works; and given a scenario, select an appropriate type.

A web client can authenticate a user to a web server using one of the following mechanisms:

  • HTTP Basic Authentication

  • HTTP Digest Authentication

  • HTTPS Client Authentication

  • Form Based Authentication

HTTP Basic Authentication.

HTTP Basic Authentication, which is based on a username and password, is the authentication mechanism defined in the HTTP/1.0 specification. A web server requests a web client to authenticate the user. As part of the request, the web server passes the realm (a string) in which the user is to be authenticated. The realm string of Basic Authentication does not have to reflect any particular security policy domain (confusingly also referred to as a realm). The web client obtains the username and the password from the user and transmits them to the web server. The web server then authenticates the user in the specified realm.

Basic Authentication is not a secure authentication protocol. User passwords are sent in simple base64 ENCODING (not ENCRYPTED !), and the target server is not authenticated. Additional protection can alleviate some of these concerns: a secure transport mechanism (HTTPS), or security at the network level (such as the IPSEC protocol or VPN strategies) is applied in some deployment scenarios. 

				
<web-app>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>User Auth</web-resource-name>
			<url-pattern>/auth/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>admin</role-name>
			<role-name>manager</role-name>
		</auth-constraint>
	</security-constraint>
	
	<login-config>
		<auth-method>BASIC</auth-method>
		<realm-name>User Auth</realm-name>
	</login-config>
	
	<security-role>
		<role-name>admin</role-name>
	</security-role>
	<security-role>
		<role-name>manager</role-name>
	</security-role>
</web-app>

HTTP Digest Authentication.

Like HTTP Basic Authentication, HTTP Digest Authentication authenticates a user based on a username and a password. However the authentication is performed by transmitting the password in an ENCRYPTED form which is much MORE SECURE than the simple base64 encoding used by Basic Authentication, e.g. HTTPS Client Authentication. As Digest Authentication is not currently in widespread use, servlet containers are encouraged but NOT REQUIRED to support it.

The advantage of this method is that the cleartext password is protected in transmission, it cannot be determined from the digest that is submitted by the client to the server.

Digested password authentication supports the concept of digesting user passwords. This causes the stored version of the passwords to be encoded in a form that is not easily reversible, but that the Web server can still utilize for authentication. From a user perspective, digest authentication acts almost identically to basic authentication in that it triggers a login dialog. The difference between basic and digest authentication is that on the network connection between the browser and the server, the password is encrypted, even on a non-SSL connection. In the server, the password can be stored in clear text or encrypted text, which is true for all login methods and is independent of the choice that the application deployer makes. 

				
<web-app>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>User Auth</web-resource-name>
			<url-pattern>/auth/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>admin</role-name>
			<role-name>manager</role-name>
		</auth-constraint>
	</security-constraint>
	
	<login-config>
		<auth-method>DIGEST</auth-method>
		<realm-name>User Auth</realm-name>
	</login-config>
	
	<security-role>
		<role-name>admin</role-name>
	</security-role>
	<security-role>
		<role-name>manager</role-name>
	</security-role>
</web-app>

HTTPS Client Authentication.

End user authentication using HTTPS (HTTP over SSL) is a strong authentication mechanism. This mechanism requires the user to possess a Public Key Certificate (PKC). Currently, PKCs are useful in e-commerce applications and also for a single-sign-on from within the browser. Servlet containers that are not J2EE technology compliant are not required to support the HTTPS protocol.

Client-certificate authentication is a more secure method of authentication than either BASIC or FORM authentication. It uses HTTP over SSL, in which the server and, optionally, the client authenticate one another with Public Key Certificates. Secure Sockets Layer (SSL) provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. You can think of a public key certificate as the digital equivalent of a passport. It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer. If you specify client-certificate authentication, the Web server will authenticate the client using the client's X.509 certificate, a public key certificate that conforms to a standard that is defined by X.509 Public Key Infrastructure (PKI). Prior to running an application that uses SSL, you must configure SSL support on the server and set up the public key certificate. 

				
<web-app>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>User Auth</web-resource-name>
			<url-pattern>/auth/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>admin</role-name>
			<role-name>manager</role-name>
		</auth-constraint>
	</security-constraint>
	
	<login-config>
		<auth-method>CLIENT-CERT</auth-method>
		<realm-name>User Auth</realm-name>
	</login-config>
	
	<security-role>
		<role-name>admin</role-name>
	</security-role>
	<security-role>
		<role-name>manager</role-name>
	</security-role>
</web-app>

Form Based Authentication.

The look and feel of the 'login screen' cannot be varied using the web browser's built-in authentication mechanisms. This specification introduces a required form based authentication mechanism which allows a Developer to CONTROL the LOOK and FEEL of the login screens.

The web application deployment descriptor contains entries for a login form and error page. The login form must contain fields for entering a username and a password. These fields must be named j_username and j_password, respectively.

When a user attempts to access a protected web resource, the container checks the user's authentication. If the user is authenticated and possesses authority to access the resource, the requested web resource is activated and a reference to it is returned. If the user is not authenticated, all of the following steps occur:

  1. The login form associated with the security constraint is sent to the client and the URL path triggering the authentication is stored by the container.

  2. The user is asked to fill out the form, including the username and password fields.

  3. The client posts the form back to the server.

  4. The container attempts to authenticate the user using the information from the form.

  5. If authentication fails, the error page is returned using either a forward or a redirect, and the status code of the response is set to 200.

  6. If authentication succeeds, the authenticated user's principal is checked to see if it is in an authorized role for accessing the resource.

  7. If the user is authorized, the client is redirected to the resource using the stored URL path.

The error page sent to a user that is not authenticated contains information about the failure.

Form Based Authentication has the same lack of security as Basic Authentication since the user password is transmitted as plain text and the target server is not authenticated. Again additional protection can alleviate some of these concerns: a secure transport mechanism (HTTPS), or security at the network level (such as the IPSEC protocol or VPN strategies) is applied in some deployment scenarios.

Form based login and URL based session tracking can be problematic to implement. Form based login should be used only when sessions are being maintained by cookies or by SSL session information.

In order for the authentication to proceed appropriately, the action of the login form must always be j_security_check. This restriction is made so that the login form will work no matter which resource it is for, and to avoid requiring the server to specify the action field of the outbound form.

Here is an example showing how the form should be coded into the HTML page: 

					
<form method='post' action='j_security_check'>
	<input type='text' name='j_username'>
	<input type='password' name='j_password'>
</form>	
					
					

				
<web-app>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>User Auth</web-resource-name>
			<url-pattern>/auth/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>admin</role-name>
			<role-name>manager</role-name>
		</auth-constraint>
	</security-constraint>
	
	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>User Auth</realm-name>
		<form-login-config>
			<form-login-page>login.jsp</form-login-page>
			<form-error-page>error.jsp</form-error-page>
		</form-login-config>
	</login-config> 
	
	<security-role>
		<role-name>admin</role-name>
	</security-role>
	<security-role>
		<role-name>manager</role-name>
	</security-role>
</web-app>

chruan
关注
专栏目录
使用cas做单点登录,web.xml配置
zhuhengli的博客
12-18 5045
1、 添加maven依赖   dependency> groupId>org.jasig.cas.clientgroupId>      artifactId>cas-client-coreartifactId> version>3.3.3version> dependency>   2、 web.xml添加一下项,以tms为例   filter> filter-name>s
SSO简单例子
荒野里的稻草人
09-03 446
&lt;cfcomponent&gt; &lt;cffunction name="setProgressUniv" access="remote" returntype="string" &gt; &lt;cfargument name="user_id" type="numeric" required="yes"&gt; &a
CAS 实现单点登录(SSO)数据库查询认证机制-xml方式(三)
何静媛
04-17 6247
继前面介绍过基于CAS实现单点登录(SSO)的实例演示,演示过程中服务端认证机制采用的是默认配置即CAS Servier默认用户名和密码一致即可登录成功,那么本文将侧重于应用方面,真正通过查询用户名密码来进程验证用户是否可以登录。   CAS Server添加相关的jar包  需要在web项目的lib下添加两个包:cas-server-support-jdbc-x.x.x.jar和 mysq
CAS单点登陆基本使用
u010689849的博客
12-23 448
1.单点登陆简介 单点登陆(single Sign On),简称SSOSSO 的定义是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统。传统方式登陆信息是存储在session中,而session是存储在服务器中,但在分布式系统中存在很多子系统,他们有各自的服务器,显然使用session无法解决问题。 2.CAS介绍 CAS是一个解决单点登陆的技术,旨在为 Web 应用系...
apache shiro 反序列化漏洞解决方案
qq_36407469的博客
07-27 5397
一、反序列化漏洞介绍 序列化:把对象转换为字符串或者字节流的过程。 反序列化:把字符串或者字节流恢复为对象的过程。 反序列化漏洞的产生原理,即黑客通过构造恶意的序列化数据,从而控制应用在反序列化过程中需要调用的类方法,最终实现任意方法调用。如果在这些方法中有命令执行的方法,黑客就可以在服务器上执行任意的命令。 二、产生原因 shiro提供了记住我(RememberMe)的功能,即可以在关闭浏览器的情况下,下次打开时还能记住你是谁,无需登录即可访问。 shiro默认使用了CookieRememberMeMa
HTTPCLIENT的授权方式简介
蓝色的梦想
01-08 501
Introduction HttpClient supports three different types of http authentication schemes: Basic, Digest and NTLM. These can be used to authenticate with http servers or proxies. Contents Server Authe...
sso单点登录代码.zip
11-21
SSO(Single Sign-On)单点登录是一种身份验证机制,允许用户在一次登录后访问多个相互关联的应用系统,而无需再次进行身份验证。在IT领域,尤其是企业级应用开发中,SSO是提高用户体验和安全性的重要技术。Spring ...
Spring Security基于JWT实现SSO单点登录详解
08-25
基于 Spring Security 框架和 JWT(JSON Web Token)技术,可以实现 SSO(Single Sign-On)单点登录系统。SSO 是一种常见的身份验证机制,允许用户使用同一个用户名和密码在多个系统中登录。 SSO 的优点: * 提高...
使用springboot结合vue实现sso单点登录
08-25
使用 Spring Boot 结合 Vue 实现 SSO 单点登录 本文主要为大家详细介绍了如何使用 Spring Boot 和 Vue 实现 SSO 单点登录,具有一定的参考价值。下面我们将从技术角度深入探讨该实现的细节。 Spring Boot 的选择 ...
基于JWT实现SSO单点登录流程图解
08-18
基于JWT实现SSO单点登录流程图解是指使用JSON Web Token(JWT)来实现单点登录(SSO)的机制。在这种机制中,用户只需要登录一次,就可以访问多个应用服务器上的资源,而不需要再次登录。下面是基于JWT实现SSO单点...
HTTP Authentication
weixin_30399055的博客
01-28 264
First Authentication andAuthorization are different two concept. Http Base Auth Put user name and password inheader which in base64 encoding. HTTP Digest Auth Like Http Base, user name ...
web.xml 配置文件 超详细说明!!!
weixin_30794499的博客
08-12 4286
一、web.xml是什么? 首先 web.xml 是java web 项目的一个重要的配置文件,但是web.xml文件并不是Java web工程必须的。 web.xml文件是用来配置:欢迎页、servlet、filter等的。当你的web工程没用到这些时,你可以不用web.xml文件来配置你的web工程。 所在位置 项目名/web/WEB-INFO/web.xml,如下图所示 ...
sso 单点登录的配置
cuibruce的博客
11-11 8274
这一章来讲一下配置单点登录    首先用到https协议,所以先用jdk自己的keytool工具来生成秘钥,所有输入密码的地方都用changeit  生成证书需要填入一些信息 最好有包含后面用到单点登录服务的域名 不然后面会报错证书中找不到那个域名 1:在d盘新建一个目录用来存放生成的证书文件d:/cas/keys 2:cmd下面进入到java_home 运行keytool -gen
spring security oauth2 password授权模式
weixin_33748818的博客
12-03 1197
序 前面的一篇文章讲了spring security oauth2的client credentials授权模式,一般用于跟用户无关的,开放平台api认证相关的授权场景。本文主要讲一下跟用户相关的授权模式之一password模式。 回顾四种模式 OAuth 2.0定义了四种授权方式。 授权码模式(authorization code) ...
Authentication in IIS
流男@水孩
08-26 1877
By Joe LimaWe often think about security measures as ways of protecting resources by preventing access to them. The need for authentication arises because, in the real world, keeping people out of pro
CAS SSO单点登录客户端环境搭建
m0_72864708的博客
08-19 158
这个错误很明显,我们需要配置当前容器支持http,找到cas项目下的HTTPSandIMAPS-10000001.json文件,路径为:\WEB-INF\classes\services,里面增加http协议支持。5.重启sso的服务端,再次访问http://sso1.jeesz.cn:8082/sso1(成功跳转)6.其中sso2的客户端,访问http://sso2.jeesz.cn:8083/sso2(成功跳转)其中apache-tomcat-client1-8082的端口改成了8082。
java cas 单点登录web.xml配置
shzy1988的专栏
02-14 5010
filter>           filter-name>CAS Single Sign Out Filterfilter-name>           filter-class>org.jasig.cas.client.session.SingleSignOutFilterfilter-class>       filter>       filter-mapping>      
SSO(单点登录)实施中遇到的几个问题
热门推荐
yan_dk的专栏
12-21 1万+
单点登录应用中,遇到如下的几个问题:1.超时问题;2.jsessionid问题;3.单点退出时有时子系统未能正常退出;4.有些请求路径不需要单点登录过滤器拦截;5.不同应用服务实现可能要求SSO客户端做适应性改造。我们具体分析一下,并提出解决方法。 1.超时问题         我们提供的CAS开源单点登录SSO组件,它部署节点主要有2个:SSO服务器(部署内容为一个web应用)、应用系统
SpringBoot整合SSO单点登录实战教程
在现代Web应用程序开发中,单点登录(Single Sign-On,简称SSO)是一种便捷的身份验证机制,允许用户在一次登录后访问多个相互关联的应用系统,而无需再次进行身份验证。SpringBoot作为一个轻量级的框架,为开发者...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值