Note Authentication mechanism (authentication): Identify a user with the identity they claim
Does the application care if the user passes validation without caring how the validation is done???
Authorization (Access Control: Authorization): ★ Insist on using <security-role> to declare all roles
Provision of user information:
Preferred authentication provided by the container: (with static characteristics; efficiency?) )
A.http Basic authentication: Usr/pwd joins a request header by BASE64 encoding
B.http Digest Authentication (DIGEST): (HTTP1.1 Support) MD5 summary from server-side validation clients (including server-side-contained nonce with timestamp, request resource, Server identity)
C.https Client Authentication (Client-cert): Requires SSL for the client
D. form-based authentication (form): The servlet specification is unique, implemented by the servlet container itself, plaintext transfer (specifically to implement the settings of <form-login-config> in dependencies <login-config> elements)
The access control type is defined by the WEB application configuration descriptor (in the servlet specification):/web-inf/web.xml
Access to User information: Request object provides methods to obtain authenticated user information (Servlet 2.2 API)
Application-controlled authentication: (Dynamic validation model), password still transmitted in clear text
Custom behavior <oar:validatesession name= "xxx" loginpage= "login.jsp" errormsg= "xxx"/> must be placed at the beginning of all protected pages in the application:
Includes 3 Required properties: Name of the Bean object created by the validation page
Login forwarding URL When the object name is not found
ERRORMSG the message displayed on the forwarded URL page
A page with access control as the Post request object needs to validate the Post method:
<% if (!request.getmethod (). Equals ("POST")) {%>
<ora:redirect page= "main.jsp"/>
<%}%>
Prevent users from submitting overdue forms again
Using HTTPS authentication will invalidate the other three authentication: whether it is authentication to the server or both to the client and server side, the connection is encrypted
Processing of cookies:
<ora:addcookie maxage= "2592000"/> Indicates that the cookie was saved for 30 days (30*24*3600s)
<ora:addcookie maxage= "0"/> indicates that the cookie is immediately invalidated
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.