Question

我的网络应用包括两部分:

GWT app that does all the work.
Handmade servlet aimed to handle OpenID authentication facility.

我需要电话2至1。 http://code.google.com/p/google-web-toolkit-incubator/wiki/Login SecurityFAQ”rel=“nofollow”Login SecurityFAQ,因此,我谨确认我的理解是否正确。

Once OpenID provider confirms that user is OK and gives me its identity, I should register the session.
To "register" the session, I should store somewhere in my DB a mapping between OpenID identity and a session id (identity="https://www.google.com/accounts/o8/id?id=wwyruiwncuyrwieruyfakefakefake" and session id is a large random string like "HiuhoiuhIUHOIUY87Y*&Ttgi6yUYGIuygUHGugyg^G6g").
That session id should be stored on client side in a cookie.
Every time any request is sent from client side, on server side I should check whether client s session id is still fresh enough (alive) and I should also use it to resolve client s identity in case I need it.

是否正确? 在案件审理中,是否有足够的保障?

Answer 1

你的想法是正确的,我也这样说。

仅举几句:

(1) 如果你想要坚持身份,不要忘记确定真实的权利。视开放式登记系统提供人而定,如果对同一用户的下一个标识可能有不同的特性。我认为,谷歌开放国际要求你使用你的服务器名称加港口:

openIdManager.setRealm("http://" + req.getServerName() + ":" + req.getServerPort());

2) 为什么要建立自己的会议管理? 这是很多额外的工作,你最终可能起草一些不可靠的文件。使用共同的http://servlet会议。

3) You won t need to manage session timeouts if you use http sessions, but if you need to intercept all GWT RPC calls, the right place might be overriding service method in your RemoteServiceServlet implementation.

友情链接