J2EE security system (2)

xiaoxiao2021-03-29  216

date

2005

year

8

month

1

day

Author

gauss

Types of

safety certificate

content

Safety mode design of electronic platform

Safety mode design of electronic platform

1.

Foreword

Due to the sensitivity of the office information of the electronic platform and the virtuality and openness of the network, it is determined that the electronic platform system needs strong users to access security, network security, system security, application security, database, and transaction manager security. The security of the electronic platform system. System adopts

J2EE

The frame is to meet the above needs, but not only some of the contents of the security task to the container, but also provide the application of the application to complete the security task.

2.

Overall design of the program

In the security system of the electronic platform system, we mainly applied to centralized certification, system password encryption,

Web

Module character configuration and

EJB

The character configuration of the module. Below is the design schematic of the entire security system of the system:

Electronic platform security system diagram

2.1

Centralized certification:

Centralized certification is adopted

CA

Institutional authentication server and

Web

Applications, the verification process of the client digital certificate is the same as ordinary authentication.

HTTPS

transmit information. After the verification is completed

CA

Institutional

Web

The application will forward the configuration file to the specified location, here we can set the top page of the electronic platform system while putting some information about the authentication to the client.

Cookie

In this way, we only need to call when the user of our electronic platform system is logged in.

CA

The authentication interface provided by the agency is verified, this process is adopted

HTTP

Method, there will be great improvements, while ensuring security, and less impact on electronic platform systems, which is conducive to the development, integration, and update of the system. In order to better illustrate the difference between the centralized certification and the ordinary certification, I did the following comparison: as shown

Centralized certification

VS

Ordinary certification

Below we focus on the application of centralized certification in the electronic platform system, below is the electronic platform system application set

A network flow diagram of a network process and a centralized certification program flow chart

:

Flowchart for electronic platform application centralized certification

System application centralized certification login registration procedure:

Some concepts mentioned above on centralized certification can be referred to

CA

Some basic concepts "and" public key infrastructure

PKI

technology". Specific service certificate and

CA

Certification body

Auth.war

How to deploy and how to apply the "Centralized Certification Applicable" document in the electronic platform. Call

CA

The authentication interface provided by the agency is

LoginAction / regacion

During the end. Specifically, how to implement it in the following "Matters noticed during the system development process" will be specifically discussed.

2.2

J2EE

Safety system:

Electronic platform adopts advanced, popular

MVC

three

(

many

)

Layer technical architecture, respectively:

View

,

CONTROLLER

,

MODEL

,As shown below:

This will separate the business logic layer and the view not only facilitate development but also to ensure the security of the data.

J2EE

Application security.

J2EE

The application is safe to use role-based security mechanisms. During development, we should determine the application's security policy by assigning secure resources and methods for specific security roles. During application assembly, the security role is imaged as a real user and group. This two-stage safety management method gives a large flexibility and portability of the application, during operation,

J2EE

The container is responsible for forcing resources and methods for performing access control security.

J2EE

Container supports two types of security

:

· Illustrative security:

· Programmable security:

Illustrative security, according to the name, the illustrative security is mainly defined in the deployed description file, the programmable security requires the programmer to guarantee

J2EE

Safety. No need to code implementation, it mainly

J2EE

The container is defined for security policies. Programmable security, we use illustrative security in this system. Between the advantages and disadvantages: name

advantage

Disadvantage

Illustrative security

No code is required, reducing programmers' coding workload; Changing the role is convenient.

Poor flexibility; more troublesome when deploying

can

Programming security

Good flexibility, can customize security according to the needs of the business;

Requires coding, adding programmers' workload; changing the role is inconvenient, need to modify the code

In electronic platform projects, we try to use illustrative security. If the illustrative security cannot meet the business

Programmable security is used in the case of demand. Below we are divided into

Web

Module and

EJB

Module discussion:

2.21

:

Web

Module:

in

Web

The role used in the module is read as follows:

Public user

EVERYONE

Business users

Enterprise

Quality inspection user

Organ

Municipal Supervision Bureau

City_

SURVEILLANCE

Provincial Supervision Bureau

Province_ surveillance

State supervision bureau

Country_ Surveillance

Platform administrator

Plat _Manager

When developing deployment, you can change and add it according to what you need.

(

A

Define the verification method:

Verification mechanism defines how customers are

Web

Application verification. Before applying any validation constraint, the user needs to use a set mechanism to pass the verification process.

Servlet

Specification is defined

4

Verify the mechanism of the user. Basic verification, summary verification, customer certificate verification, based on form verification. The electronic platform system mainly adopts client certificate verification and form-based verification. Among them, the centralized certification mode of the certificate is used.

(

B

Define security roles:

in

Web

Deployment description file

Web.xml

Medium, used

Web

The security role used in the module and an optional description text must be named. A placeholder when a role is a real user and user group when the placeholder is mapped to a real user and user group during the deployment of the application.

(

C

Define security constraints:

in

Web

Multiple security constraints can be defined in the module. Safety constraints declare how the application is protected. We define for a given security constraint

2

Features:

·

Web

Resource collection: one

Web

Resource collection is a group

URL

Mode and the resource represented by this mode

HTTP

method. A security constraint can have multiple

Web

Resource collection.

· Authorized constraint: A authorized constraint defines which roles authorized under safety constraints

Web

Resource collection.

(

Di

)

Servlet / JSP

Define security roles references (optional):

This part of the content can define a security role reference to a pages that are relatively high and secure levels as needed.

(

E

) Password encryption:

The password encryption is the most commonly used

MD5, MD5

The full name is

Message-Digest ALGORITHM 5

,in

90

In the beginning of the year

Mit

Computer Science Laboratory and

RSA Data Security Inc

Evolving

MD2

,

MD3

with

MD4

Development coming.

Message-digest

Pan-byte string

(Message)

of

Hash

The transformation is to convert an arbitrary length byte string into a large integer. Please note that I am using it.

"

Byte string

"

Instead of

"

String

"

This word is because this transformation is only related to the value of the byte, and is independent of the character set or encoding.

MD5

Arbitrate

"

Byte string

"

Transform into one

The large integer of 128bit, and it is an irreversible string transform algorithm. In other words, even if you see the source program and algorithm description, it cannot be

MD5

The value turns back to the original string, from the principle of math, because the original string has endless, this is a bit like a mathematical function that does not exist.

MD5

Typical application is a paragraph

Message

Byte string

)

produce

Fingerprint

fingerprint

)

To prevent being

"

tamper

"

. For example, you will write a word in a call

Readme.txt

In the file, and this

Readme.txt

formed one

MD5

The value is recorded, then you can spread this file to others, if others modify anything in the file, you recalculate this file

MD5

It will be found when it is. If there is another third party certification body, use

MD5

You can also prevent file author

"

deny

"

This is the so-called digital signature application.

2.22

:

Web service

Module

This part of the content is still to be improved.

2.23

:

EJB

Module:

EJB

Is the business logic of the implementation application

J2EE

Component. It is generally used to access sensitive data. In this way,

EJB

It is very important to assign an appropriate strategy.

Access control is applied to separate sessions and entities

bean

Method, so these methods are only included in a particular security role. Session, entity and message driver

bean

Method in the caller (

EJB

Under the identity of the server or under a specific security role. This is called a delegate strategy.

Delegation Policy

) Or becomes a mode mapping according to others (

Run-as mode mapping

). The following is mainly our electronic platform

EJB

Module

WSAD

Set security process.

(

1

) Illustrative security:

J2EE

Deployment description file

ejb-jar.xml

Contain

EJB

Safety view, also included

Bean

The structured and reference information of the class. A security view contains a collection of logical security roles. Authorization for performing declarations generally divided into two steps

,

First state

Bean

Security strategy, that is, statement

Bean

Method's license, then declare security roles for deployers.

(

2

) Programmable security: Because not all security policies can be expressed in a declaration,

EJB

Architecture allows for use

Javax.ejb.entityContext

Interface

IscallerinRole (String Rolename)

with

getCaller-Principal ()

The method provides a way to programmable access to a caller security context. The role of the security context makes all security checks, the security context environment encapsulates the current caller's security status, can't see the security context environment in the application code, by

EJB

The container uses them directly in the background, by implied

STUB

with

Skeleton

The security context environment is transmitted, and the security information spread out.

(

A

Define security roles

Used in

EJB

The safety roles used in the used must be

EJB

Module deployment description file

ejb-jar.xml

Named. Each name can have an optional description text. One role is a placeholder and is deployed

When the program is mapped to a real user and user group.

(

B

) Assignment method license

Session and entity

bean

The method can assign appropriate license by assigning appropriate licenses to a particular role. square

Law license

EJB

Deployment description file

EJB-jar.xml definition

(

C

) Assign role for unprotected methods

During the application installation, for sessions and entities that are explicitly protected in the deployment description file

EJB

Method can be used

IBM WebSphere

Application Server Management Control is too specified for its method license. These unprotected

The method can use one of the following licenses:

· No choice (

Uncheck

: This permission is the default option. This indicates that anyone can call these methods.

· Reversation

Exclude

: No one can call these unprotected methods.

·Character(

Role

: These unprotected methods can only be called only if members of the specified security role can be called.

(

Di

) Management commission strategy

As one

EJB

Call another

EJB

When the method, by default, the first one

EJB

Caller's identity

Broadcast to the second

EJB

. In this way, all of the calling chain

EJB

Methods can see the same basic letter

interest. However, in some cases, one

EJB

Need to use a pre-defined identity, such as a given angle

Color member calls another

EJB

method. An example is a message driver

bean

of

OnMessage ()

Method, this method calls a session

bean

of

protected

method. Message driver

bean

of

OnMessage ()

square

The method is called by the container without the caller character, so that this method cannot call the session.

bean

of

protected

square

law. Entrust

OnMessage ()

Method is run as a specific role, then add this role to the insured

Conversation

bean

This way, this way, this

OnMessage ()

Methods will access to protected methods.

(

E

)

bean

Level commission

EJB2.0

Definition in the specification

Element can be

EJB Bean

Level delegation, this will allow

Probate a program assembly to entrust a given

bean

All methods run as a member of a specified security role. At the part

At the time of the department, a real user as a specified security role must pass a one

Run-as

Role mapping process

Shoot this role. Entrusted

bean

Call the identity of the mapping user

EJB

.

(

Fly

) Method level commission

apart from

EJB2.0

Defined in the specification

bean

Outside of the delegation strategy,

IBM WebSphere

Application service

The device also provides the implementation method level

EJB

Entrusted ability. This with

bean

The level delegation is the same, but he can apply

Specified

EJB

Method, not as a whole

bean

. This entrusted particle size is thinner, it allows applications

Program assembler (integral) is the same

EJB

Different methods commission different security roles.

In addition, the client's entrustment provides an additional delegate option: runs as a server. This option indicates that

Methods Use the identity of the application server to call other

EJB

.

(

G

Define security role references (optional)

Safety role reference

EJB

of

Java

Safety roles named in the code and scheduled during application assembly

The indirect layer between the safety roles. This indirect layer allows you to change the name of the security role without changing any application

The order of the order.

3.

Matters notice during system development

3.1

How to invoke the verification interface provided by Xinhe

Since there are still some problems in the configuration of the authentication server, we use a variety of ways, or the application of Xinhe

Web

Application, but in this basis, it modifies it, which is changed to verify the legality of the certificate by the authentication server to verify the certificate. Using the code to verify whether the certificate is signed by Xin Cheng Tong, if the validity is exposed, this method is only applying, specifically to the delivery project and formally released in our testing phase, and uses their certification server. To verify the certificate. There are 2 places where the electronic platform system is applied to the interface provided by Xinchengtong.

Local:

3.11

Login

Action

in

Specific implementation code reference

Qiyeloginaction

with

JigouloginAction

.

3.12

Registered

Action

in

Specific implementation code reference

QiyegegAction

.

3.2

How to develop

Web

Module illustrative security

Safety role map

3.21

Development method based on form verification

This part is in use

Struts

Front desk

Validator

Verification and background

Action

Verify the legality of the user.

Validator

Whether the username and password are fully input, whether the length is legal, etc.

Validator

After the verification, the data is submitted to

Action

Make the background processing. It not only prevents the client's malicious submission, but also guarantees the legality of the data, which is conducive to improving the performance of the server. This part of the development method is the same as we often log in to the verification method, but pay attention to it.

Action

Inside the username and password verification, the client is

Tokenid

Verify, that is, to call

CA

The agency provides us with a centralized certified interface. We use the following verification logic when developing: First

REQUEST

Get it

cookie

Array object, get it through loop

Tokenid

Value, then call

Authzprn.authzprnpriVilege (Tokenid, ", Request.getRemoteAddr ())

get

PRNPROPERTY

Object. Among them

cookie

,

Tokenid

,

PRNPROPERTY

Whether it is

NULL

, Make judgment only

PRNPROPERTY

Not

NULL

At the time, it is to verify the username and password when the authentication is passed. This part of the code can refer to the tag two

Qiyeloginaction ()

with

JIGOULOGINACTION ()

. I can be responsible for login and registration part when I have developed. This interface is not called elsewhere.

3.32

for

Web

Components define the development of security roles

in

2.21

Part we have initially

Web

Components define several roles, which requires us to correspond

Web

The components are placed in the corresponding folder. The user will determine whether to have access to the page in a folder when the user has different characters. So this requires us to put it within its respective files based on the object of the page service during the reception, and cannot be placed casually. At the same time

Web

Component modular, no special needs need to be accessed across blocks.

Here mainly introduces how

WASD

with

WAS

In place

Web

Safety role:

(A)

Security role definition

turn on

Web

Deployment descriptor: as shown

Click "Security" Click Add to add a safe role. Name the name of this role, we are named "

Manager

", Add some illustrative characters in the described basket. The same method can add other roles in accordance with the needs of the business.

(B)

Set security constraints

After the "security role" is defined, save. Enter the "Safety Constraint" setting, click the "Secure Constraint" option, enter the "Security Constraint" interface, as shown in the figure:

Click "Add" to enter a real name, in "

Web

Resource Collection section, click Added Added Window, enter the corresponding text, choose

HTTP

Method, you can choose

get

with

POST

Click to add,

URL

Mode can have the following wildcard "

/ *

","

/*.jsp

","

/

"Wait. Determine. A safety constraint can be multiple

Web

Resource collection. Click on the editor of "Authorization Role".

Check the role of the user to authorize, the role that appears is the role we just defined. determine. The same method can add additional constraints.

After completing, save!

Web

The definition and configuration of the security role has been completed, the following work is to map these roles to the actual user of the system when we deploy.

Poured into the project

XX.EAR

Form, discuss how

WAS

Deploy the project, and

Web

Safety role to map to actual users:

1,

start up

WAS

server

2,

Login management console

3,

Install enterprise application

The above last step is no longer described, it can be carried out according to the relevant prompt. Several places you need to pay attention to,

Web

The security role defined in the statement file is the actual user, as shown:

You can add and modify it by finding a user or user group. As shown below:

Below we mainly discuss settings

Web

Security

4,

Start global security

Before conducting global security settings, let's first know a few terms and their significance:

(1)

User registry

·

Localos

:

WebSphere

The authentication mechanism can use the user account database of the local operating system.

WebSphere Application Server

provide

Windows NT

with

WINDOWS 2000

The implementation of the local account registry and the domain registry, and

Linux

,

Solaris

with

AIX

Implementation of User Account Registry. Claim:

·

For stand-alone machines, users should:

o

Is a member of the management group.

o

It should have a partial operational privilege as a operating system.

o

You should have logged in to service privileges (if the server is running as a service).

·

For the machine of the domain member, only the user can start the server process and must be:

o

Members of the domain controller.

o

The partial operation privilege as an operating system should be posted in the domain security policy on the domain controller.

o

The local security policy should be used as a component operation privilege as an operating system on the local security policy on the local machine.

o

You should have login as a service privilege on the local machine (if the server is running as a service run).

Note

:

The user is a domain user rather than a local user, which suggests that when the machine is part of the domain, only the user can start the server.

·

For domain controller machines, users should be:

o

Members of the domain controller.

o

The partial operation privilege as an operating system should be posted in the domain security policy on the domain controller.

o

You should have logged in to serve privilege on the domain controller (if the server is running as a service run).

Since the machines we have developed are not domain users, we use a single-machine local when doing development.

OS

·

LDAP

:

Lightweight Directory Access Protocol (

LDAP

) Is a user registry, it is used

LDAP

Binding execution authentication.

WebSphere Application Server

Safety provides and supports most main

LDAP

The directory server is implemented, which can be used as a library of user and group information. Product process (server) calls

LDAP

The server is a security for authenticating users and other related tasks (eg, get user or group information). This support is provided by using different users and group filters to obtain user and group information. These filters have some default values, you can modify these defaults to adapt to your needs. In addition, custom LDAP

Functional components allow you to use any other use by using the appropriate filter for their user registry

LDAP

Server (it's not

LDAP

Server's product support list).

Be

LDAP

Used as a user registry, you need to know the valid username (ID), user password, server host, and port, basic list (

DN

) And if necessary to bind

DN

And bind passwords. You can select any valid users in the registry. In certain

LDAP

In the server, the management user is unsearched and cannot be used (for example,

SECUREWAY

middle

CN = root

). This user refers to the documentation.

WebSphere Application Server

Security server identity, server identity, or server user ID. As a server identity means having special privileges when calling some protected internal methods. Usually, once security is turned on, this identity and password are used to log in to the management console. If those users are part of the management role, you can use other users.

When security is enabled in the product, this server identity and password are authenticated by the registry. If the authentication fails, the server cannot start. It is important to choose an identity and password that has not been expired or frequently changed. If you need to change the product server user ID or password in the registry, make sure the changes are performed when all product servers are started and running. Once the changes are completed in the registry, use

Configure LDAP user registry

The steps described in it are described. Change the logo, password, and other configuration information, save, stop and restart all servers, which is supplied to the product uses new identity or password. If you encounter any problems when you start the product, you can disable security before the server can start (to avoid this situation, make sure any changes in this panel are

"

Global security

"

Confirmation in the panel). Once the server starts, you can change the identity, password, and other configuration information and enable security.

· Customized: This system does not use this solution

(2)

Certification mechanism

·

Swam

:

simple

WebSphere

Authentication mechanism (

Swam

) For simple, non-distributed, single application server runtime environments. Single application server restriction is due to

Swam

not support

FORWARDABLE

The credentials are caused. If the application server process

1

middle

servlet

Organic

bean

Call another application server process

2

In the enterprise

bean

The remote method, the process

1

The caller identity is not sent to the server process

2

. Sending unauthenticated credentials, according to

EJB

The security permissions configured on the method may result in failure of the authorization.

due to

Swam

Used for single application server processes, therefore does not support single registration (

SSO

).

Swam

The certification mechanism is suitable for simple environments, software development environments, or other environments that do not require distributed security solutions. We use this solution when doing development.

·

LTPA

:

Lightweight third party certification (

LTPA

) For distributed, multi-application servers, and machine environments. It supports forward credentials and single registration (

SSO

).

LTPA

Security can support security in a distributed environment via cryptography. This support allows

LTPA

Encryption, digital signing, and securely send authentication related data, and decrypt and verify the signature later.

Lightweight third party certification (

LTPA

) Agreement allows

WebSphere Application Server provides security in a distributed environment using a password. The application server distributed in multiple nodes and units can be securely communicated with this protocol. It also provides single registration (

SSO

) Features, only in the domain name system there

DNS

) The authentication user is once again, and the user can access others.

WebSphere

Resources in the unit do not have to get prompts. This protocol uses an encryption key (

LTPA

Key) Encrypt and decrypt user data delivered between servers. These keys need to be shared between different units, which is for the resources in one unit to access resources in other cells (this assumptions all the units involved in the same)

LDAP

Or custom registry).

Use

LTPA

Create a token with user information and its arrival time, and sign it by the key.

LTPA

The token is sensitive to time. All product servers involved in the protected domain must have their time, date, and synchronous time zones. If not, then

LTPA

The token expires too early and causing authentication or confirmation failure. Then this token is passed to other servers (in the same unit or different units), through

cookie

(For enabling

SSO

Time

Web

Resource) or pass the certification layer (enterprise

bean

Safety certification service (

SAS

) Or public safety interoperability

V2

(

CSIV2

))). If a single or multiple receiving servers are sharing the same key as the source server, you can decrypt the token to get user information, then verify the user information to ensure that it does not expire and the user information in the token is in its registration. Table is effective. After successful verification, the resources in the receiving server can be accessed after the authorization check.

All units (units, nodes, application servers)

WebSphere Application Server

The process shares the same key set. If a key sharing is required between different units, they export them from one unit and import them into another unit. For security, the exported key uses the user-defined password encryption. This is required when the key is imported into another unit.

LTPA

Be in

WebSphere Application Server

of

NetWork Deployment

The only supported mechanism in the version. in

WebSphere Application Server

of

Base

In the version,

LTPA

And simple

WebSphere

Authentication mechanism (

Swam

) Is supported. With

LTPA

of

WebSphere Application Server Network Deployment

or

Base

When security is first enabled in the product,

LTPA

Usually the initialization step is performed.

LTPA

The user registration form that is required is the library that is shared by the central shared.

LDAP

or

Windows

Domain type registry, so that users and groups are the same without considering mechanism issues.

The following table summarizes the capacity of the certification mechanism and

LTPA

User registry can be used.

Reproductive credentials

SSO

Localos

User registry

LDAP

User registry

Custom user registry

Swam

NO

NO

YES

YES

YES

LTPA

YES

YES

YES

YES

YES

In the future, it is actually deployed.

LTPA

.

Here is how the user registry and authentication mechanism discussed above

WebSphere

How to set up discussion:

(1)

User registry

·

Localos

:

Steps for this task

1.

Click Security in the Regional Davigation panel of the management console

>

User registry

>

local

OS

.

2.

Enter a valid user name in the Server User Identification field. 3.

Enter a user password in the Server User Password field.

4.

Click OK. Restart the server.

Verification of users and passwords did not occur in this panel. Just when you are

"

Global security

"

Click OK or Apply when you click OK or Apply. If you are in the process of enabling security, complete other steps and go to

"

Global security

"

Panel to ensure local

OS

Yes

"

Active user registry

"

. If security is enabled, and you have changed users or password information in this panel, make sure to

"

Global security

"

Panel, and click OK or App to verify changes. If your changes are not verified, the server may not be able to start.

·

LDAP

:

Steps for this task

1.

In the management console, click Security on the left navigation panel

>

User registry

> LDAP

.

2.

Enter a valid user name in the Server User Identification field. According to advanced

LDAP

Set the user filter definition in the panel, you can enter your user's full proprietary name (

DN

) Or user's abbreviation name. For example, for

Netscape

Enter the user ID.

3.

Enter the user's password in the Server User Password field.

4.

Select in the type list

LDAP

Server type.

LDAP

Server type determination

WebSphere Application Server

The default filter used. When these default filters change, the type field changes to customization, which indicates the use of custom filters. Once you click Advanced

LDAP

This action occurs after the determination or application in the panel. Select customization from the list, modify the user and group filter if needed to use other

LDAP

server. If you choose

IBM DIRECTORY SERVER

or

Iplanet Directory Server

Also choose Ignore the uppercase and write field.

5.

Enter in the host field

LDAP

The server's full-limited host name.

6.

Enter in the port field

LDAP

Server port number. Host name and port number

WebSphere Application Server

Unit

LDAP

The server of the server. Therefore, if the server in different units uses a lightweight third party certification (

LTPA

The token communicate with each other, and these domains must be fully matched in all units.

7.

Enter the basic proprietary name in the basic proprietary name field (

DN

). Basic

DN

Indicate here

LDAP

The start point for searching in the directory server. For example, for

DN

for

CN = john doe, ou = rochester, o = IBM, c = us

User, specified basic

DN

For any of the following (assuming suffix

C = US

):

OU = Rochester, o = IBM, c = US

or

o = IBM C = US

or

C = US

. This field can be case sensitive and it is recommended that they match largerings in the directory server. This field is divided

Domino Directory

All

LDAP

The catalog is required.

"

Basic

DN "

Field for

Domino

The server is optional.

8.

If you need, enter the binding in the binding proprietary name field

DN

name. If

LDAP

If you can't perform anonymous binding on the server, you need to bind

DN

To get user and group information. in case

LDAP

The server is set to use anonymous binding, retain this field is blank.

9.

If necessary, enter the input password field to the binding

DN

Password.

10.

Modify the search timeout value if needed. This timeout value is

LDAP

The server waits for the maximum time to send to the product client before giving up the request. The default is 120

second.

11.

Only when you use the router to disable the request to multiple

LDAP

The server is disabled when the server is not supported by the server. For all other requests, keep this field to enable.

12.

Enable ignore the uppercase signage if needed. When enabled, the authorization check is not case sensitive. Typically, authorization testing involves checking the complete user

DN

(Its

LDAP

The server is unique) and is case sensitive. However, when used

IBM DIRECTORY SERVER

or

Iplanet Directory Server LDAP

This flag needs to be enabled when the server is

LDAP

The group information acquired by the server is inconsistent in case. This inconsistency only affects the authorization check.

13.

If with

LDAP

The server's communication is passed

SSL

If you enable a single socket layer (

SSL

). To get

SSL

Set

LDAP

For more information, see

Configuring SSL for LDAP clients

.

14.

If enabled

SSL

,From

SSL

The list in the configuration field is selected

SSL

Alias ​​configuration.

15.

Click OK.

The verification of the user, password, and settings are not generated in this panel. Terms only when you click OK or Apply in the global security panel. If you are the first time you enable security, complete the remaining steps and go to the global security panel. select

LDAP

As an active user registry. If security is enabled, the information on this panel has been changed, then go to the global security panel, and click OK or App to verify your changes. If your changes are not verified, the server may not be able to start.

(2)

Certification mechanism

·

Swam

:

As mentioned earlier,

Swam

It is designed for simple non-distributed individual application servers. The reason why it can only be a single application server, mainly because

Swam

Can't pass the credentials.

in

IBM WebSphere

Used on the application server

Swam

There is no special configuration. Just choose on the global security page

Swam

As a verification mechanism.

·

LTPA

:

When security is set for the first time, the initial execution This task requires the following steps.

Steps for this task

1.

Click Security in the navigation panel on the left

>

Certification mechanism

> LTPA

.

2.

Enter your password in the password field and confirm it. This password is used to encrypt during the export and import key

Reconcile

LTPA

Key. Remember this password, because when you export your key from this unit to another, you will need to enter it again.

3.

Enter the positive integer value in the timeout field. This timeout value is

LTPA

Time (in minutes). The token contains this expiration time to receive any servers of this token to ensure that this token is valid before further processing. When the token expires, the user is prompted to log in. The ideal value of this field depends on your configuration. Default

30

minute.

4.

Click Apply or OK. Now, already set

LTPA

Configuration. You should not be generated in this step

LTPA

Key because they are automatically generated later. The processing of the remaining steps requires security, from

SSO

Start (if needed

SSO

).

This system does not need!

5.

carry out

"

Global security

"

Information in the panel, and press

"

determine

"

. In

"

Global security

"

When you click OK or Apply in the panel,

LTPA

The key is automatically generated for the key, so you should not manually generate a key.

3.3

How to develop

Web

Module programming security

This part of the indicative security model cannot meet the needs of the needs, first or not! 3.4

How to develop

EJB

Module illustrative security

This part of the content needs to be increased!

3.5

How to develop

EJB

Module programming security

This part of the indicative security model cannot meet the needs of the needs, first or not!

4.

to sum up

The above is my preliminary design, and some content is to be supplemented. Since I haven't participated before

J2EE

The design work of the security system, and the electronic platform is relatively high, and there is certainly a lot of shortcomings and mistakes in this design, so please colleagues to criticize the finger system, with more comprehensive system security system. Promote a good pavement for our later development work.

5.

references

The main reference is as follows:

"

IBM WebSphere Studio J2EE

Application development

Howard kushner

Editor

"

WebSphere V5.0

Safety manual

(IBM

Red book

)

"

WebSphere Application Server V5.0

System management and configuration

(IBM

Red book

)

"

WebSphere V6.0

Safety manual

(IBM

Red book

)

IBM WebSphere

information Center

IBM

China Technical Forum

转载请注明原文地址:https://www.9cbs.com/read-130465.html

New Post(0)