搜索[安全]结果-低调大师优秀个人博客

阿里云恩智浦强强联手给物联网一个安全保护伞

恩智浦今日宣布与阿里巴巴集团旗下阿里云Link正式建立战略合作伙伴关系，双方将基于现有的合作基础围绕物联网应用展开全方位、多维度的合作，共同为物联网安全提供有力保障。

2018-03-11

赛门铁克说有三个原因会招来勒索软件攻击，以后汽车也不安全

在如此环境中，对于每一个终端用户来说，被勒索软件盯上成为受害者都是无法确保一定能够避免的，在日益严峻的安全环境之下，下一个被勒索的人可能就是你。

2018-02-21

阿里云ECS服务器CentOS7上安装服务器安全狗Linux版

阿里云ECS服务器CentOS7上安装服务器安全狗Linux版 ---------------------------------------------- 使用root登录 1.确保服务器系统处于最新状态

2017-12-17

如果网络是一个战场，人工智能如何帮助我们建立安全防线

本月，天池和阿里云安全合作举办的第二届阿里云安全算法挑战赛落下帷幕，近2000名安全算法人的正义梦想，也从这里刚刚起航。在网络为中心的世界中，人工智能和机器学习的技术，开始与“威胁论”挂上了钩。

2017-10-31

将算法融入安全，让 AI 落地到防御：阿里云正开辟一条新赛道

作为云集计算机前沿技术和互联网创新理念的大会，安全自然也是必不可少的关注点。

2017-10-17

公司信息安全攻防战，互联网千亿黑产的破解与反破解

尽管云的用量在增长，但中小型创业团队对于云安全的维护意识并不强，云上安全体系怎么建设、数据安全怎么解决以及安全团队怎么创立，是最常见的三大需求。

2017-10-11

架构师之路-如何构建rest接口的安全性访问（dubbox+oatuh2+rest）

建立oauth2认证需要的数据库及数据表结构 CREATESCHEMAIFNOTEXISTS`oauth2`DEFAULTCHARACTERSETutf8 ; USE`oauth2` ; -- ----------------------------------------------------- -- Table `oauth2`.`clientdetails` -- ----------------------------------------------------- CREATE TABLE IF NOT EXISTS `oauth2`.`clientdetails` ( `appId` VARCHAR(128) NOT NULL, `resourceIds` VARCHAR(256) NULL DEFAULT NULL, `appSecret` VARCHAR(256) NULL DEFAULT NULL, `scope` VARCHAR(256) NULL DEFAULT NULL, `grantTypes` VARCHAR(256) NULL DEFAULT NULL, `redirectUrl` VARCHAR(256) NULL DEFAULT NULL, `authorities` VARCHAR(256) NULL DEFAULT NULL, `access_token_validity` INT(11) NULL DEFAULT NULL, `refresh_token_validity` INT(11) NULL DEFAULT NULL, `additionalInformation` VARCHAR(4096) NULL DEFAULT NULL, `autoApproveScopes` VARCHAR(256) NULL DEFAULT NULL, PRIMARY KEY (`appId`)) ENGINE = InnoDB DEFAULT CHARACTER SET = utf8; -- ----------------------------------------------------- -- Table `oatuh2`.`oauth_access_token` -- ----------------------------------------------------- CREATE TABLE IF NOT EXISTS `oauth2`.`oauth_access_token` ( `token_id` VARCHAR(256) NULL DEFAULT NULL, `token` BLOB NULL DEFAULT NULL, `authentication_id` VARCHAR(128) NOT NULL, `user_name` VARCHAR(256) NULL DEFAULT NULL, `client_id` VARCHAR(256) NULL DEFAULT NULL, `authentication` BLOB NULL DEFAULT NULL, `refresh_token` VARCHAR(256) NULL DEFAULT NULL, PRIMARY KEY (`authentication_id`)) ENGINE = InnoDB DEFAULT CHARACTER SET = utf8; -- ----------------------------------------------------- -- Table `oatuh2`.`oauth_approvals` -- ----------------------------------------------------- CREATE TABLE IF NOT EXISTS `oauth2`.`oauth_approvals` ( `userId` VARCHAR(256) NULL DEFAULT NULL, `clientId` VARCHAR(256) NULL DEFAULT NULL, `scope` VARCHAR(256) NULL DEFAULT NULL, `status` VARCHAR(10) NULL DEFAULT NULL, `expiresAt` DATETIME NULL DEFAULT NULL, `lastModifiedAt` DATETIME NULL DEFAULT NULL) ENGINE = InnoDB DEFAULT CHARACTER SET = utf8; -- ----------------------------------------------------- -- Table `oatuh2`.`oauth_client_details` -- ----------------------------------------------------- CREATE TABLE IF NOT EXISTS `oauth2`.`oauth_client_details` ( `client_id` VARCHAR(128) NOT NULL, `resource_ids` VARCHAR(256) NULL DEFAULT NULL, `client_secret` VARCHAR(256) NULL DEFAULT NULL, `scope` VARCHAR(256) NULL DEFAULT NULL, `authorized_grant_types` VARCHAR(256) NULL DEFAULT NULL, `web_server_redirect_uri` VARCHAR(256) NULL DEFAULT NULL, `authorities` VARCHAR(256) NULL DEFAULT NULL, `access_token_validity` INT(11) NULL DEFAULT NULL, `refresh_token_validity` INT(11) NULL DEFAULT NULL, `additional_information` VARCHAR(4096) NULL DEFAULT NULL, `autoapprove` VARCHAR(256) NULL DEFAULT NULL, PRIMARY KEY (`client_id`)) ENGINE = InnoDB DEFAULT CHARACTER SET = utf8; -- ----------------------------------------------------- -- Table `oatuh2`.`oauth_client_token` -- ----------------------------------------------------- CREATE TABLE IF NOT EXISTS `oauth2`.`oauth_client_token` ( `token_id` VARCHAR(256) NULL DEFAULT NULL, `token` BLOB NULL DEFAULT NULL, `authentication_id` VARCHAR(128) NOT NULL, `user_name` VARCHAR(256) NULL DEFAULT NULL, `client_id` VARCHAR(256) NULL DEFAULT NULL, PRIMARY KEY (`authentication_id`)) ENGINE = InnoDB DEFAULT CHARACTER SET = utf8; -- ----------------------------------------------------- -- Table `oatuh2`.`oauth_code` -- ----------------------------------------------------- CREATE TABLE IF NOT EXISTS `oauth2`.`oauth_code` ( `code` VARCHAR(256) NULL DEFAULT NULL, `authentication` BLOB NULL DEFAULT NULL) ENGINE = InnoDB DEFAULT CHARACTER SET = utf8; -- ----------------------------------------------------- -- Table `oatuh2`.`oauth_refresh_token` -- ----------------------------------------------------- CREATE TABLE IF NOT EXISTS `oauth2`.`oauth_refresh_token` ( `token_id` VARCHAR(256) NULL DEFAULT NULL, `token` BLOB NULL DEFAULT NULL, `authentication` BLOB NULL DEFAULT NULL) ENGINE = InnoDB DEFAULT CHARACTER SET = utf8; >>前提: 使用Maven来管理项目; spring-security-oauth的版本号为2.0.10.RELEASE 1. 添加Maven dependencies;以下只列出了主要的 <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-coreartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-webartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-taglibsartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-aclartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-cryptoartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-configartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.security.oauthgroupId> <artifactId>spring-security-oauth2artifactId> <version>1.0.5.RELEASEversion> dependency> 2. web.xml配置; 这一步与只使用Spring Security的配置一样. pre><precode_snippet_id="73897"snippet_file_name="blog_20131119_2_2257675"name="code"class="html"><filter> <filter-name>springSecurityFilterChainfilter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxyfilter-class> filter> <filter-mapping> <filter-name>springSecurityFilterChainfilter-name> <url-pattern>/*url-pattern> filter-mapping> <context-param> <param-name>contextConfigLocationparam-name> <param-value>classpath:spring/*.xmlparam-value> context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListenerlistener-class> listener> <servlet> <servlet-name>hyservlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServletservlet-class> <load-on-startup>2load-on-startup> servlet> <servlet-mapping> <servlet-name>hyservlet-name> <url-pattern>/url-pattern> servlet-mapping> 对于Spring MVC, 需要配置文件hy-servlet.xml, 该文件不是这儿关注的(忽略); 在classpath创建spring目录, 在该目录里创建security.xml文件, 这是所有步骤配置的重点. 3.security.xml的配置;重点开始. 3.1 起用注解; TokenEndpoint与AuthorizationEndpoint需要 <mvc:annotation-driven/> <mvc:default-servlet-handler/> 3.2 TokenServices 配置 1).TokenStore, 使用JdbcTokenStore, 将token信息存放数据库, 需要提供一个dataSource对象; 也可使用InMemoryTokenStore存于内存中 <beans:beanid="tokenStore"class="org.springframework.security.oauth2.provider.token.JdbcTokenStore"> <beans:constructor-argindex="0"ref="dataSource"/> beans:bean> 注: 可以在spring-security-oauth2中找到对应的SQL脚本, 地址为https://github.com/spring-projects/spring-security-oauth/tree/master/spring-security-oauth2/src/test/resources, 目录中的schema.sql即是. (以下不再说明SQL脚本的问题) 2).TokenServices; 需要注入TokenStore <beans:beanid="tokenServices"class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> <beans:propertyname="tokenStore"ref="tokenStore"/> <beans:propertyname="supportRefreshToken"value="true"/> beans:bean> 如果允许刷新token 请将supportRefreshToken 的值设置为true, 默认为不允许 3.3 ClientDetailsService 配置, 使用JdbcClientDetailsService, 也需要提供dataSource, 替换demo中直接配置在配置文件中 <beans:beanid="clientDetailsService"class="org.springframework.security.oauth2.provider.JdbcClientDetailsService"> <beans:constructor-argindex="0"ref="dataSource"/> beans:bean> 3.4ClientDetailsUserDetailsService配置, 该类实现了Spring security中UserDetailsService 接口 <beans:beanid="oauth2ClientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> <beans:constructor-argref="clientDetailsService"/> beans:bean> 3.5OAuth2AuthenticationEntryPoint配置 <beans:beanid="oauth2AuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"/> 3.6oauth2 AuthenticationManager配置; 在整个配置中,有两个AuthenticationManager需要配置 <authentication-managerid="oauth2AuthenticationManager"> <authentication-provideruser-service-ref="oauth2ClientDetailsUserService"/> authentication-manager> 第二个AuthenticationManager用于向获取UserDetails信息, <authentication-manageralias="authenticationManager"> <authentication-provideruser-service-ref="userService"> <password-encoderhash="md5"/> authentication-provider> authentication-manager> userService是一个实现UserDetailsService的Bean 3.7OAuth2AccessDeniedHandler配置, 实现AccessDeniedHandler接口 <beans:beanid="oauth2AccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/> 3.8UserApprovalHandler配置, 这儿使用DefaultUserApprovalHandler, 这里是实现client是否可信任的关键点,你可以扩展该接口来自定义approval行为 <beans:beanid="oauthUserApprovalHandler"class="org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler"> beans:bean> 3.9authorization-server配置, 核心 <oauth2:authorization-serverclient-details-service-ref="clientDetailsService"token-services-ref="tokenServices" user-approval-handler-ref="oauthUserApprovalHandler"> <oauth2:authorization-code/> <oauth2:implicit/> <oauth2:refresh-token/> <oauth2:client-credentials/> <oauth2:password/> oauth2:authorization-server> 该元素里面的每个标签可设置每一种authorized-grant-type的行为. 如disable refresh-token的配置为 <oauth2:refresh-tokendisabled="true"/> 3.10 Oauth2 AccessDecisionManager配置, 这儿在默认的Spring SecurityAccessDecisionManager的基础上添加了ScopeVoter <beans:beanid="oauth2AccessDecisionManager"class="org.springframework.security.access.vote.UnanimousBased"> <beans:constructor-arg> <beans:list> <beans:beanclass="org.springframework.security.oauth2.provider.vote.ScopeVoter"/> <beans:beanclass="org.springframework.security.access.vote.RoleVoter"/> <beans:beanclass="org.springframework.security.access.vote.AuthenticatedVoter"/> beans:list> beans:constructor-arg> beans:bean> 3.11resource-server配置, 这儿定义两咱不同的resource <oauth2:resource-serverid="unityResourceServer"resource-id="unity-resource"token-services-ref="tokenServices"/> <oauth2:resource-serverid="mobileResourceServer"resource-id="mobile-resource"token-services-ref="tokenServices"/> 注意: 每个resource-id的值必须在对应的ClientDetails中resourceIds值中存在 3.12ClientCredentialsTokenEndpointFilter配置, 该Filter将作用于Spring Security的chain 链条中 <beans:beanid="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> <beans:propertyname="authenticationManager"ref="oauth2AuthenticationManager"/> beans:bean> 3.13/oauth/token 的http 配置, 用于监听该URL的请求, 核心 <httppattern="/oauth/token"create-session="stateless"authentication-manager-ref="oauth2AuthenticationManager" entry-point-ref="oauth2AuthenticationEntryPoint"> <intercept-urlpattern="/oauth/token"access="IS_AUTHENTICATED_FULLY"/> <anonymousenabled="false"/> <http-basicentry-point-ref="oauth2AuthenticationEntryPoint"/> <custom-filterref="clientCredentialsTokenEndpointFilter"before="BASIC_AUTH_FILTER"/> <access-denied-handlerref="oauth2AccessDeniedHandler"/> http> 3.14 针对不同resource的http配置, 由于上面配置了两个resource, 这儿也配置两个 <httppattern="/unity/**"create-session="never"entry-point-ref="oauth2AuthenticationEntryPoint" access-decision-manager-ref="oauth2AccessDecisionManager"> <anonymousenabled="false"/> <intercept-urlpattern="/unity/**"access="ROLE_UNITY,SCOPE_READ"/> <custom-filterref="unityResourceServer"before="PRE_AUTH_FILTER"/> <access-denied-handlerref="oauth2AccessDeniedHandler"/> http> <httppattern="/m/**"create-session="never"entry-point-ref="oauth2AuthenticationEntryPoint" access-decision-manager-ref="oauth2AccessDecisionManager"> <anonymousenabled="false"/> <intercept-urlpattern="/m/**"access="ROLE_MOBILE,SCOPE_READ"/> <custom-filterref="mobileResourceServer"before="PRE_AUTH_FILTER"/> <access-denied-handlerref="oauth2AccessDeniedHandler"/> http> 注意每一个http对应不同的resourceServer. access-decison-manager-ref对应Oauth的AccessDecisionManager 3.15 默认的http配置,给/oauth/** 设置权限 <httpaccess-denied-page="/login.jsp?authorization_error=2"disable-url-rewriting="true" authentication-manager-ref="authenticationManager"> <intercept-urlpattern="/oauth/**"access="ROLE_USER,ROLE_UNITY,ROLE_MOBILE"/> <intercept-urlpattern="/**"access="IS_AUTHENTICATED_ANONYMOUSLY"/> <form-loginauthentication-failure-url="/login.jsp?authentication_error=1"default-target-url="/index.jsp" login-page="/login.jsp"login-processing-url="/login.do"/> <logoutlogout-success-url="/index.jsp"logout-url="/logout.do"/> <anonymous/> http> 到此, securiy.xml 配置完毕. 当然,还有些额外的工作你需要做, 如配置dataSource, 创建数据库, 添加用户用户信息, 管理ClientDetails等等. Oauth相关的数据都是存放在数据库, 我们就可以根据表结果创建domain来实现管理. 更多参考内容： http://www.roncoo.com/article/index

2017-10-11