外文文献翻译---面向java-web应用程序的openid本科学位论文.doc

专业外文翻译题 目小型企业网站的制作 系 （院）计算机科学技术系专 业计算机网络技术班 级学生姓名学 号指导教师职 称二一年五月二日*专科毕业设计（专业外文翻译）OpenID for Java Web applicationsJ. Steven Perry is an independent software development consultant and has been developing software professionally since 1991. Steve has a passion for software development, and enjoys writing about software development and mentoring other developers. He is the author of Java Management Extensions (O'Reilly) and Log4j (O'Reilly), and Joda-Time (which he wrote for IBM developerWorks). In his spare time he hangs out with his three kids, rides his bike, and teaches yoga. Steve is the owner and principal consultant for Makoto Consulting Group, located in Little Rock, Arkansas.Summary:  OpenID is a decentralized authentication protocol that makes it easier for users to access resources in your Java Web applications. In this first half of a two-part article, you'll learn about the OpenID Authentication Specification and walk through the steps of incorporating it into a sample Java application. Rather than implement the OpenID Authentication specification by hand, author J. Steven Perry uses the openid4java library and a popular OpenID provider, myOpenID, to create a safe and reliable registration process for a Java application written in Wicket.Tags for this article:  authentication, java, openid, openid4java, sign-on, single, steve_perry, websOpenID is a decentralized authentication mechanism. Using OpenID, I can prove I own a URI such as and I can use that identity to authenticate myself with any site that supports OpenID such as Google, Slashdot, or Wordpress. Clearly, Open ID is great for end users. But using it got me to thinking: "What about using OpenID to create a standard, reliable authentication system for the Java-based Web applications I write for my customers?"In this two-part article I will show you how to use the openid4java library and a well-known OpenID provider, myOpenID, to create an authentication system for a Java-based Web application. I'll also show you how to receive user information with an OpenID Simple Registration Extension (SReg).I'll start by explaining what OpenID is and showing you how to get an OpenID of your own. Next, I will present a brief overview of how OpenID authentication works. Finally, I will walk through the steps involved in performing OpenID authentication using openid4java. In the second half of this article, you'll learn how to create your own OpenID provider. Throughout the discussion I'll be working with a Wicket-based Java Web application that I wrote specifically for this article. You can download the source code for the application any time. You also might want to take a look at the openid4java library (see Resources).Note: This article focuses on using OpenID for Java Web applications, but OpenID works in any software architectural scenario.Introduction to OpenIDOpenID is a specification for proving a user owns an identifier. For now, just think of an identifier as a String that uniquely identifies a user. If you're like me, you own many identifiers or userids. I have a userid at Facebook, another at Twitter, and others at dozens of sites that I use around the Internet. I always try to use the same userid but it's not available on every new site I sign up for. So, I have a mental map of all of my userids and the Web sites they're associated with. What a pain; I use the "Forget your password?" feature a lot! It would be great if there were a way to claim a single identifier and use it everywhere.OpenID solves exactly this problem. Using OpenID, I claim an identifier and use it on any site or Web resource that has adopted the protocol. The latest figures (from the OpenID Web site) say that more than 50,000 Websites support OpenID, including Facebook, Yahoo!, Google, and Twitter.OpenID authenticationOpenID authentication is at the heart of OpenID, and consists of three main concepts:The OpenID Identifier: A String of text that uniquely identifies the user.The OpenID Relying Party (RP): An online resource (probably a Web site, but it could be a file, an image, or pretty much anything you want to control access to) that uses OpenID to identify who can access it.The OpenID Provider (OP): A site where users can claim an OpenID and subsequently sign-in and authenticate their identity for the benefit of any RP. The OpenID Foundation is a consortium whose members are interested in promoting open source identity management through the OpenID specification.How does OpenID work?Suppose a user is attempting to access a resource that is part of an RP's Web site, and the RP uses OpenID. To access the resource, the user must present his OpenID in a form that can be recognized (normalized) as an OpenID. The OpenID is encoded with the OP's location. The RP then takes the user's identifier and redirects the user to the OP, where he will be required to prove his claim to that ID.Let's briefly consider each component of the OpenID specification and its role in this process.OpenID IdentifiersAt the heart of OpenID is, of course, the OpenID Identifier. An OpenID Identifier (or just "identifier") is a human-readable String of characters that uniquely identifies someone. No two users have the same OpenID, and that's what makes OpenID work. By following stipulations in the OpenID Authentication Specification Version 2.0, OpenID RPs are able to decode (or "normalize") an identifier to figure out how to authenticate a user. In the operational world of OpenID, where we as developers write code, two identifiers are of interest:User-Supplied Identifier Claimed Identifier As the name suggests, a User-Supplied Identifier is the identifier supplied by the user to the RP. The User-Supplied Identifier must be normalized into a Claimed Identifier, which is just a fancy way to say that the identifier supplied by the user is transformed into a standard form. The Claimed Identifier can then be used to locate the OP through a process called discovery, after which the OP will authenticate the user.OpenID Relying PartyIt is normally the RP that is presented with a User-Supplied Identifier, which is normalized to a Claimed Identifier. The user's browser (the "User Agent") will be redirected to the OP so that the user can provide his or her password and be authenticated.The RP neither knows nor cares about the specifics of how a Claimed Identifier is authenticated; it only wants to know whether the OP has successfully authenticated the user. If so, the User Agent (again, probably the user's browser) is forwarded to the secure resource that the user was attempting to access. If the user cannot be authenticated, then the RP denies access.Open ID Provider (OP)The OP, or OpenID Provider, is responsible for issuing Identifiers and performing user authentication. OPs also provide Web-based management of OpenIDs. OPs collect and hold the following basic information about each user:E-mail address Full name Date of birth Postal code Country Primary language When an OP is asked to authenticate a Claimed Identifier, the user's browser is directed to a sign-in page where the user is challenged to enter his password. At that point, control is with the OP. If the user is successfully authenticated, then the OP directs the browser to a location specified by the RP (in a special "return-to" URL). If the user cannot authenticate, he will probably receive a message from the OP that his authentication attempt failed (at least that's the case with ClaimID and myOpenID, two popular OpenID Providers).Becoming an OpenID Relying PartySo now you know about the major components of OpenID and how they fit together. For the remainder of the article, we'll focus on writing an OpenID Relying Party (RP) using the open source openid4java library.The first step in using OpenID is to get an identifier. It's easy to do: just go to myOpenID and click the SIGN UP FOR AN OPENID button. Pick an OpenID like redneckyogi or jstevenperry (both of which are mine, by the way). The sign up form will tell you whether the userid you've chosen is already taken. If not, you'll be instructed to enter a password, an e-mail address, some text in a JCaptcha-style text box (you're not a bot, are you?), and that's it! Some minutes later you'll get an e-mail at the address provided containing a link in it. Click the link to confirm your e-mail address and congratulations! you now have an OpenID!Of course, as with any awesome technology there are numerous OpenID providers to choose from (see Resources for a complete list).To illustrate how quick and easy it is to get an OpenID, I signed up with accounts at myOpenID, Verisign, and ClaimID in the space of about 30 minutes. And that includes time spent entering detailed information and uploading a picture!You may already have an OpenIDAccording to OpenI, Google, Wordpress, and other popular sites support OpenID. If you've signed up for any of these sites you may already have an OpenID.For instance, if you have a Yahoo! Account, you probably also have an OpenID (I did, and didn't even know it). You just use your Yahoo! ID when you sign in, and Yahoo is your OpenID Provider. You provide your Yahoo-based OpenID as whatever and the RP will ask Yahoo to authenticate you (you can actually see this in action if you run the sample application that accompanies this article).About the sample applicationAs I said at the beginning of this article, I've written a Java Web application that uses openid4java to create a simple OpenID Relying Party (RP). It is a simple application that you can build (as a WAR), drop into Tomcat, and run from your local machine. The sample application has a very tight focus: The user enters her OpenID on a registration page.The application verifies the Identifier (by directing the user to her OP to sign in).Upon successful authentication, the application retrieves the user's profile information from the OP, and directs the user to a Save page where she can review and save her profile information.The information displayed on the Save page is pulled from the information available from the OP. I wrote the application with Wicket because, well, I really like Wicket. But I've tried to minimize Wicket's "footprint" so that it doesn't distract you from learning how to write an OpenID Relying Party.The architecture of the sample application is divided into two areas of responsibility:User interface written in Wicket OpenID authentication using the openid4java library Of course the two areas intersect, but again, I have tried to keep overlap to a minimum to make it easier to follow the OpenID instructions, rather than getting distracted by the details of Wicket.About openid4java and the sample application codeThe OpenID Authentication spec is complicated. If you implement specifications all the time, you'll probably be very comfortable writing your own implementation. As for me, I'm lazy. I don't want to do any more work than I have to in order to solve the problem at hand, which is where the openid4java library comes into play. openid4java is an implementation of the OpenID Authentication specification that makes it much easier to use OpenID programmatically.The code listings that follow show the openid4java API calls an RP makes to use OpenID. One thing you may notice is how little code the sample application actually needs to make this happen. openid4java really does make your life easier.To reduce the Wicket footprint in the sample application, I've isolated the code that calls openid4java into its own Java class called RegistrationService (located in com.makotogroup.sample.model). This class contains five methods that correspond to the usage of the openid4java API:getReturnToUrl() returns the URL that the browser will be directed to once successful authentication has taken place.getConsumerManager() is used to obtain an instance of the main openid4java API class. This class handles all of the code the sample RP application needs to perform authentication.performDiscoveryOnUserSuppliedIdentifier() does what its name implies: it handles any potential problems that arise during the discovery process.createOpenIdAuthRequest() creates the AuthRequest construct that is required to do the authentication.processReturn() handles processing the authentication request's results. Writing the RPThe whole point of authentication is for the user to prove his or her identity. Doing this protects a Web resource from access by unwanted or malicious visitors. Once the user has proved his identity, you decide whether or not to grant him access to the resource (though authorization is beyond the scope of this article). The sample application for this article performs a function common to many Web sites: user registration. It assumes that if the user can prove his identity then he is allowed to register. It's a simple premise, but it will demonstrate how a typical "conversation" with the OP goes and how to use openid4java to do it. Here are the basic steps:Obtain the User-Supplied Identifier: The RP gets the user's OpenID.Discovery: The RP normalizes the User-Supplied Identifier to determine which OP to contact for authentication and how to contact it.Association: An optional step, but one I highly recommend, wherein the RP and OP establish a secure communication channel.Authentication request: The RP asks the OP to authenticate the user.Verification: The RP requests userid verification from the OP and ensures the communication has not been tampered with.Proceed to application: Following authentication, the RP directs the user to the resource he or she initially requested. Next, we'll look at each of these steps in detail, including code examples. As we progress through the sections below, I will use a single example to illustrate the OpenID authentication process from start to finish.Obtain the User-Supplied IdentifierThis is the job of your RP application. In the working example, the userid is obtained on the application's OpenIdRegistrationPage. I enter my OpenID and click the Confirm OpenID button. The sample application (which acts as the RP) now has my User-Supplied Identifier. Figure 1 shows a screen shot of the sample application in action.In this case, the User-Supplied Identifier is .The UI code is responsible for two things: making sure the user has entered text into the Your OpenID text box and submitting the form when the user clicks the Confirm OpenID button. Following confirmation, the application begins the call sequence. Listing 1 shows the code for the OpenIdRegistrationPage that submits the form and makes this call sequence.Listing 1. Wicket UI code to make the OpenID auth