翻译原文 没改格式2.docx
- 文档编号:27443660
- 上传时间:2023-07-01
- 格式:DOCX
- 页数:21
- 大小:90.40KB
翻译原文 没改格式2.docx
《翻译原文 没改格式2.docx》由会员分享,可在线阅读,更多相关《翻译原文 没改格式2.docx(21页珍藏版)》请在冰豆网上搜索。
翻译原文没改格式2
外文文献阅读与翻译
外文原文
ThisandsubsequentchaptersdiscusshowtoaddresssecurityrequirementsinJavaEE,web,
andwebservicesapplications.Everyenterprisethathassensitiveresourcesthatcanbeaccessed
bymanyusers,orresourcesthattraverseunprotected,open,networks,suchastheInternet,
needstobeprotected.
Thischapterintroducesbasicsecurityconceptsandsecurityimplementationmechanisms.
MoreinformationontheseconceptsandmechanismscanbefoundintheSecuritychapterof
theJavaEE5specification.Thisdocumentisavailablefordownloadonlineat
http:
//www.jcp.org/en/jsr/detail?
id=244.
Otherchaptersinthistutorialthataddresssecurityrequirementsincludethefollowing:
Chapter29,“SecuringJavaEEApplications”discussesaddingsecuritytoJavaEE
componentssuchasenterprisebeansandapplicationclients.
Chapter30,“SecuringWebApplications”discussesandprovidesexamplesforadding
securitytowebcomponentssuchasservletsandJSPpages.
Someofthematerialinthischapterassumesthatyouunderstandbasicsecurityconcepts.To
learnmoreabouttheseconcepts,youshouldexploretheJavaSEsecuritywebsitebeforeyou
beginthischapter.TheURLforthissiteis
ThistutorialassumesdeploymentontotheApplicationServerandprovidessomeinformation
regardingconFig.urationoftheApplicationServer.Thebestsourceforinformationregarding
conFig.urationoftheApplicationServer,however,istheSunJavaSystemApplicationServer9.1
AdministrationGuide.ThebestsourcefordevelopmenttipsspecifictotheApplicationServeris
theSunJavaSystemApplicationServer9.1Developer’sGuide.Thebestsourcefortipson
deployingapplicationstotheApplicationServeristheSunJavaSystemApplicationServer9.1
ApplicationDeploymentGuide.
OverviewofJavaEESecurity
JavaEE,web,andwebservicesapplicationsaremadeupofcomponentsthatcanbedeployed
intodifferentcontainers.Thesecomponentsareusedtobuildamultitierenterpriseapplication.
Securityforcomponentsisprovidedbytheircontainers.Acontainerprovidestwokindsof
security:
declarativeandprogrammaticsecurity.
Declarativesecurityexpressesanapplicationcomponent’ssecurityrequirementsusing
deploymentdescriptors.Deploymentdescriptorsareexternaltoanapplication,andinclude
informationthatspecifieshowsecurityrolesandaccessrequirementsaremappedinto
environment-specificsecurityroles,users,andpolicies.Formoreinformationabout
deploymentdescriptors,read“UsingDeploymentDescriptorsforDeclarativeSecurity”on
page774.
Programmaticsecurityisembeddedinanapplicationandisusedtomakesecuritydecisions.
Programmaticsecurityisusefulwhendeclarativesecurityaloneisnotsufficienttoexpress
thesecuritymodelofanapplication.Formoreinformationaboutprogrammaticsecurity,
read“UsingProgrammaticSecurity”onpage776.
Annotations(alsocalledmetadata)areusedtospecifyinformationaboutsecuritywithina
classfile.Whentheapplicationisdeployed,thisinformationcaneitherbeusedbyor
overriddenbytheapplicationdeploymentdescriptor.Formoreinformationabout
annotations,read“UsingAnnotations”onpage775.
ASimpleSecurityExample
ThesecuritybehaviorofaJavaEEenvironmentmaybebetterunderstoodbyexaminingwhat
happensinasimpleapplicationwithawebclient,aJSPuserinterface,andenterprisebean
businesslogic.
Inthefollowingexample,whichistakenfromJSR-244,theJavaEE5Specification
(http:
//www.jcp.org/en/jsr/detail?
id=244),thewebclientreliesonthewebservertoact
asitsauthenticationproxybycollectinguserauthenticationdatafromtheclientandusingitto
establishanauthenticatedsession.
Step1:
InitialRequest
Inthefirststepofthisexample,thewebclientrequeststhemainapplicationURL.Thisactionis
showninFig.ure28–1.
Sincetheclienthasnotyetauthenticateditselftotheapplicationenvironment,theserver
responsiblefordeliveringthewebportionoftheapplication(hereafterreferredtoaswebserver)
detectsthisandinvokestheappropriateauthenticationmechanismforthisresource.Formore
informationonthesemechanisms,read“SecurityImplementationMechanisms”onpage771.
Step2:
InitialAuthentication
Thewebserverreturnsaformthatthewebclientusestocollectauthenticationdata(for
example,usernameandpassword)fromtheuser.Thewebclientforwardstheauthentication
datatothewebserver,whereitisvalidatedbythewebserver,asshowninFig.ure28–2.
Thevalidationmechanismmaybelocaltoaserver,oritmayleveragetheunderlyingsecurity
services.Onthebasisofthevalidation,thewebserversetsacredentialfortheuser.
Step3:
URLAuthorization
Thecredentialisusedforfuturedeterminationsofwhethertheuserisauthorizedtoaccess
restrictedresourcesitmayrequest.Thewebserverconsultsthesecuritypolicy(derivedfrom
thedeploymentdescriptor)associatedwiththewebresourcetodeterminethesecurityroles
thatarepermittedaccesstotheresource.Thewebcontainerthenteststheuser’scredential
againsteachroletodetermineifitcanmaptheusertotherole.Fig.ure28–3showsthisprocess.
Thewebserver’sevaluationstopswithan“isauthorized”outcomewhenthewebserverisable
tomaptheusertoarole.A“notauthorized”outcomeisreachedifthewebserverisunableto
maptheusertoanyofthepermittedroles.
Step4:
FulfillingtheOriginalRequest
Iftheuserisauthorized,thewebserverreturnstheresultoftheoriginalURLrequest,asshown
inFig.ure28–4.
Inourexample,theresponseURLofaJSPpageisreturned,enablingtheusertopostformdata
thatneedstobehandledbythebusinesslogiccomponentoftheapplication.ReadChapter30,
“SecuringWebApplications”formoreinformationonprotectingwebapplications.
Step5:
InvokingEnterpriseBeanBusinessMethods
TheJSPpageperformstheremotemethodcalltotheenterprisebean,usingtheuser’scredential
toestablishasecureassociationbetweentheJSPpageandtheenterprisebean(asshownin
Fig.ure28–5).Theassociationisimplementedastworelatedsecuritycontexts,oneintheweb
serverandoneintheEJBcontainer.
TheEJBcontainerisresponsibleforenforcingaccesscontrolontheenterprisebeanmethod.It
consultsthesecuritypolicy(derivedfromthedeploymentdescriptor)associatedwiththe
enterprisebeantodeterminethesecurityrolesthatarepermittedaccesstothemethod.For
eachrole,theEJBcontainerusesthesecuritycontextassociatedwiththecalltodetermineifit
canmapthecallertotherole.
Thecontainer’sevaluationstopswithan“isauthorized”outcomewhenthecontainerisableto
mapthecaller’scredentialtoarole.A“notauthorized”outcomeisreachedifthecontaineris
unabletomapthecallertoanyofthepermittedroles.A“notauthorized”resultcausesan
exceptiontobethrownbythecontainer,andpropagatedbacktothecallingJSPpage.
Ifthecallisauthorized,thecontainerdispatchescontroltotheenterprisebeanmethod.The
resultofthebean’sexecutionofthecallisreturnedtotheJSP,andultimatelytotheuserbythe
webserverandthewebclient.
ReadChapter29,“SecuringJavaEEApplications”formoreinformationonprotectingweb
applications.
SecurityFunctions
Aproperlyimplementedsecuritymechanismwillprovidethefollowingfunctionality:
Preventunauthorizedaccesstoapplicationfunctionsandbusinessorpersonaldata
Holdsystemusersaccountableforoperationstheyperform(non-repudiation)
Protectasystemfromserviceinterruptionsandotherbreachesthataffectqualityofservice
Ideally,properlyimplementedsecuritymechanismswillalsoprovidethefollowing
functionality:
Easytoadminister
Transparenttosystemusers
Interoperableacrossapplicationandenterpriseboundaries
CharacteristicsofApplicationSecurity
JavaEEapplicationsconsistofcomponentsthatcancontainbothprotectedandunprotected
resources.Often,youneedtoprotectresourcestoensurethatonlyauthorizedusershaveaccess.
Authorizationprovidescontrolledaccesstoprotectedresources.Authorizationisbasedon
identificationandauthentication.Identificationisaprocessthatenablesrecognitionofanentity
byasystem,andauthenticationisaprocessthatverifiestheidentityofauser,device,orother
entityinacomputersystem,usuallyasaprerequisitetoallowingaccesstoresourcesinasystem.
Authorizationandauthenticationarenotrequiredforanentitytoaccessunprotected
resources.Accessingaresourcewithoutauthenticationisreferredtoasunauthenticatedor
anonymousaccess.
Theseandseveralotherwell-definedcharacteristicsofapplicationsecuritythat,whenproperly
addressed,helptominimizethesecuritythreatsfacedbyanenterprise,includethefollowing:
Authentication:
Themeansbywhichcommunicatingentities(forexample,clientand
server)provetooneanotherthattheyareactingonbehalfofspecificidentitiesthatare
authorizedforaccess.Thisensuresthatusersarewhotheysaytheyare.
Authorization,orAccessControl:
Themeansbywhichinteractionswithresourcesare
limitedtocollectionsofusersorprogramsforthepurposeofenforcingintegrity,
confidentiality,oravailabilityconstraints.Thisensuresthatusershavepermissionto
performoperationsoraccessdata.
Dataintegrity:
Themeansusedtoprovethatinformationhasnotbeenmodifiedbyathird
party(someentityotherthanthesourceoftheinformation).Forexample,arecipientof
datasentoveranopennetworkmustbeabletodetectanddiscardmessag
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 翻译原文 没改格式2 翻译 原文 格式