Acegi Security為J2EE-based企業應用軟件提供了一個全面而充分的安全解決方案。當你研究完這篇參考指南后,你會發現我們提供給你的是一個非常有用和高配置的安全系統。安全是永不停息的目標,采用全面的、系統范圍的方法是非常重要的。在安全周期中,我們建議你采用“安全層次”(layers of security),如此一來,每個層次都會得到它應有的保護,通過繼承的層次關系來增加相應的權限。每個層次的安全定義的越緊湊,你的應用系統將會越健壯和安全。
在底層,你需要處理諸如transport security 和系統身份驗證(system identification),這樣能夠減輕(mitigate)man-in-the-middle attacks(懷疑就是減少應用程序受到攻擊).下一步,一般來說你需要一個防火墻,也許是用VPNs或者IP安全措施來保證只有通過授權的系統能夠連接。在公司的環境下,你也許需要布置一個DMZ把公共服務期和后臺數據庫、應用服務器隔離。你的操作體統同樣是一個非常重要的部分
addressing issues such as running processes as
non-privileged users and maximising file system security. An operating system will usually also be
configured with its own firewall. Hopefully somewhere along the way you'll be trying to prevent
denial of service and brute force attacks against the system. An intrusion detection system will also be
especially useful for monitoring and responding to attacks, with such systems able to take protective
action such as blocking offending TCP/IP addresses in real-time. Moving to the higher layers, your
Java Virtual Machine will hopefully be configured to minimize the permissions granted to different
Java types, and then your application will add its own problem domain-specific security configuration.
Acegi Security makes this latter area - application security - much easier.
Of course, you will need to properly address all security layers mentioned above, together with
managerial factors that encompass every layer. A non-exhaustive list of such managerial factors
would include security bulletin monitoring, patching, personnel vetting, audits, change control,
engineering management systems, data backup, disaster recovery, performance benchmarking, load
monitoring, centralised logging, incident response procedures etc.
With Acegi Security being focused on helping you with the enterprise application security layer, you
will find that there are as many different requirements as there are business problem domains. A
banking application has different needs from an ecommerce application. An ecommerce application
has different needs from a corporate sales force automation tool. These custom requirements make
application security interesting, challenging and rewarding.
該參考文檔已經為Acegi Security1.0.0版本重新設計改寫。請閱讀第一部分,全面的設計架構,其他部分就是按照傳統的參考文檔寫的,有需要的時候可以參考。
我們希望你能從參考文檔中得到幫助,同樣我們也歡迎你的建議和意見。
稍后,歡迎來到Acegi Security 社區。