提高JSF项目的安全性
我正在尝试将JSF中的本地web项目移动到云上。使用此Firebase筛选器进行身份验证:提高JSF项目的安全性,jsf,jakarta-ee,firebase-authentication,wildfly,Jsf,Jakarta Ee,Firebase Authentication,Wildfly,我正在尝试将JSF中的本地web项目移动到云上。使用此Firebase筛选器进行身份验证: @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (Htt
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
userManagerSession = (UserManager) request.getSession().getAttribute("userManager");
// managed bean name is exactly the session attribute name
// boolean loginRequest = request.getRequestURI().endsWith(LOGIN_PAGE);
if (!request.getRequestURI().startsWith("/giocapp/s/")) {
filterChain.doFilter(request, response);
return;
}
Cookie[] cookies = request.getCookies();
String token = null;
if (cookies != null) {
for (Cookie cookie : cookies) {
if (cookie.getName().equalsIgnoreCase(HttpHeaders.AUTHORIZATION)) {
token = cookie.getValue();
tokenCookie = cookie;
break;
}
}
}
if (token == null || token.isEmpty()) {
System.out.println("Missing token oauth2");
response.sendRedirect(request.getContextPath() + LOGIN_PAGE);
} else {
try {
FirebaseToken decodedToken = FirebaseAuth.getInstance().verifyIdToken(token);
account = new FirebaseAccount(decodedToken.getUid(), decodedToken.getName(), decodedToken.getEmail(),
decodedToken.getPicture());
if (userManagerSession == null) {
userManagerSession = userManager;
userManagerSession.login(decodedToken.getUid());
}
System.out.println(userManager.getUserId());
filterChain.doFilter(request, response);
} catch (FirebaseAuthException e) {
System.out.println("Token oauth2 not valid");
refreshToken(cookies, request, response, filterChain);
}
}
}
这是登录名.xthml:
<p:panel id="panel">
<div class="ui-g-12">
<h:panelGroup styleClass="md-inputfield">
<p:inputText id="user-name" value="#{userManager.userId}"
label="Username" required="true"
requiredMessage="Inserisci il nome utente" />
<label>Username</label>
</h:panelGroup>
<p:message for="user-name" display="icon" />
</div>
<div class="ui-g-12">
<h:panelGroup styleClass="md-inputfield">
<p:password id="password" value="#{userManager.userPassword}"
label="Password" required="true"
requiredMessage="Inserisci la password" />
<label>Password</label>
</h:panelGroup>
<p:message for="password" display="icon" />
</div>
<div class="ui-g-12">
<p:captcha label="Captcha" />
<p:commandButton value="Accedi" icon="ui-icon-person"
action="#{userManager.login()}" update="panel messages" />
<p:button outcome="/s/dashboard" value="Password dimenticata"
icon="ui-icon-help" styleClass="secondary" />
</div>
</p:panel>
</div>
用户名
密码
我已经实现了验证码
;这是减少可能的安全问题的好方法吗?我正在使用具有强密码的firebase身份验证!
我们的想法是将这个项目放在谷歌云平台上,或者在我的防火墙上打开80E443端口,以便让WAN访问。我还想使用let's encrypt,以便通过TLS/SSL使用http(s)来改进加密。有什么理由不使用某种标准身份验证吗?任何时候你都有可能错过一些东西。标准,像普通的JEE安全性一样,经过多年的测试,更可能是安全的。验证码的唯一目的是减少自动登录的机会。它本身没有添加任何安全性。我使用Firebase身份验证和登录方法来过滤请求。验证码只是为了减少自动登录和加密消息的http。顺便说一句,我正在使用标头身份验证,因此我认为可以跳过验证码;不是吗?有没有一些暴力设置需要防止?而你实际的编码问题是?这些代码只是显示了我的过滤器是如何工作的,可能对希望帮助提高安全性的人有用@那么你应该创建一个问题和答案。问题不是“博客”