NetBeans电子商务教程-11-SecuringtheApplication.doc

The NetBeans E-commerce Tutorial - Securing the Application确保应用程序安全 This tutorial unit focuses on web application security. When securing web applications, there are two primary concerns that need to be addressed:本教学单元关注web应用程序安全。要确保web应用程序安全有两个主要概念需要注意： Preventing unauthorized users from gaining access to protected content. 阻止未授权用户访问受保护资源。 Preventing protected content from being read while it is being transmitted. 阻止受保护资源在传输过程中被读取。 The first concern, access control, is typically a two-step process that involves (1) determining whether a user is who he or she claims to be (i.e., authentication), and then (2) either granting or denying the user access to the requested resource (i.e., authorization). A simple and common way to implement access control for web applications is with a login form that enables the server to compare user credentials with a pre-existing list of authenticated users.第一个概念，访问控制，是典型的两步处理，包括（1）确定用户是否是他/她声称的人（即，认证），然后（2）准许或拒绝用户访问请求的资源（即，授权）。一种简单通用的web应用程序访问控制方法是登录表单，它使服务器能够比较用户的凭据是否与预先存在的认证用户的一致。 The second concern, protecting data while it is in transit, typically involves using Transport Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL), in order to encrypt any data communicated between the client and server. Upon reviewing the Affable Bean staffs list of requirements, well need to secure the application in the following ways:第二个概念，在数据传输时提供保护，典型地包括使用传输层安全（TLS）或它的前身，安全套接字层（SSL），用于加密客户端和服务器间传输的数据。回顾AffableBean 雇员的需求列表，需要使用以下方法保护应用程序安全： Set up a login form for the administration console that enables staff members access to the consoles services, and blocks unauthorized users. 为管理控制台设置一个登录表单，允许员工访问控制台服务，阻止未授权用户。 Configure secure data transport for both the customer checkout process, and for any data transmitted to and from the administration console. 为客户结帐过程和进出管理控制台的所有数据提供数据传输保护。 In order to implement the above, well take advantage of NetBeans visual editor for the web.xml deployment descriptor. Well also work in the GlassFish Adm