Acegi Security为J2EE-based企业应用软件提供了一个全面而充分的安全解决方案。当你研究完这篇参考指南后,你会发现我们提供给你的是一个非常有用和高配置的安全系统。安全是永不停息的目标,采用全面的、系统范围的方法是非常重要的。在安全周期中,我们建议你采用“安全层次”(layers of security),如此一来,每个层次都会得到它应有的保护,通过继承的层次关系来增加相应的权限。每个层次的安全定义的越紧凑,你的应用系统将会越健壮和安全。
在底层,你需要处理诸如transport security 和系统身份验证(system identification),这样能够减轻(mitigate)man-in-the-middle attacks(怀疑就是减少应用程序受到攻击).下一步,一般来说你需要一个防火墙,也许是用VPNs或者IP安全措施来保证只有通过授权的系统能够连接。在公司的环境下,你也许需要布置一个DMZ把公共服务期和后台数据库、应用服务器隔离。你的操作体统同样是一个非常重要的部分
addressing issues such as running processes as
non-privileged users and maximising file system security. An operating system will usually also be
configured with its own firewall. Hopefully somewhere along the way you'll be trying to prevent
denial of service and brute force attacks against the system. An intrusion detection system will also be
especially useful for monitoring and responding to attacks, with such systems able to take protective
action such as blocking offending TCP/IP addresses in real-time. Moving to the higher layers, your
Java Virtual Machine will hopefully be configured to minimize the permissions granted to different
Java types, and then your application will add its own problem domain-specific security configuration.
Acegi Security makes this latter area - application security - much easier.
Of course, you will need to properly address all security layers mentioned above, together with
managerial factors that encompass every layer. A non-exhaustive list of such managerial factors
would include security bulletin monitoring, patching, personnel vetting, audits, change control,
engineering management systems, data backup, disaster recovery, performance benchmarking, load
monitoring, centralised logging, incident response procedures etc.
With Acegi Security being focused on helping you with the enterprise application security layer, you
will find that there are as many different requirements as there are business problem domains. A
banking application has different needs from an ecommerce application. An ecommerce application
has different needs from a corporate sales force automation tool. These custom requirements make
application security interesting, challenging and rewarding.
该参考文档已经为Acegi Security1.0.0版本重新设计改写。请阅读第一部分,全面的设计架构,其他部分就是按照传统的参考文档写的,有需要的时候可以参考。
我们希望你能从参考文档中得到帮助,同样我们也欢迎你的建议和意见。
稍后,欢迎来到Acegi Security 社区。