问题
I have an app which allows users to sign in and then passes their sign in information to the app of their choice. All the apps are written in Java and use Struts2 and run on Websphere. What is the most secure way to pass in the sign in information? I can pass it in the URL using HTTPS but that still leaves the information available in the browser history.
EDIT:
The sign-in app actually calls a web service which registers the user which collects their personal information, verifies their identity and passes the information back to the sign-in app. The web service stores all of the registration information. I would like to pass all of the registration information to the app so the user does not have to reenter it and to insure the information stored by the web service is identical to the information stored in the app.
回答1:
You should configure both apps to use Single Sign On.
Here's a tutorial for Websphere.
http://www.redbooks.ibm.com/redpapers/pdfs/redp4192.pdf
回答2:
If you pass sign in information via https it's secure way. Don't pass it in url however. Use http post method to submit this information to the application. But because you use a web service to register/authenticate a user then you need invoke this web service from you application using http client, etc. If you invoke the service from the client you application never know if the user is registered/authenticated.
Recommended to use some security framework i.e. Spring Security which allows to use different methods for authentication/registration/authorization. It requires integration struts2 with spring via spring plugin.
For the rest see How to integrate Spring Security and Struts2. Or read the book Spring Security 3.x Cookbook by Anjana Mankale.
来源:https://stackoverflow.com/questions/44070914/secure-method-of-passing-sign-in-information-from-a-struts-action-to-a-different