REST API:安全处理Java SPA中的身份验证
[英]REST API: Securely Handle Authentication in a Javascript SPA
问题描述
We're developing a single page application in Javascript using DurandalJS that's going to be the client for a REST API server. 
我们正在使用DurandalJS在Javascript中开发一个单页应用程序,它将成为REST API服务器的客户端。
Here's the way we've thought out the authentication process: 这是我们考虑身份验证过程的方式:
Step 1 第1步
The client is going to have an API key and a private key; 客户端将具有一个API密钥和一个私钥; the API key is going to be public, while the private key is going to be secret and used only for signing the request (the signature is going to be recreated by the server and compared, similar to two-legged OAuth). API密钥将是公开的,而私钥将是秘密的,并且仅用于对请求进行签名 (该签名将由服务器重新创建并进行比较,类似于两足式OAuth)。
The client is going to make a POST call to https://api/sessions/ and we're going to send as params: 客户端将对https://api/sessions/进行POST调用,我们将作为参数发送:
- api key api密钥
- user / pass 用户/通行证
- nonce 随机数
- timestamp 时间戳
- signature (HMAC of params using the private key) 签名(使用私钥的参数的HMAC)
Step 2 第2步
The server is going to respond with auth_token that's going to be used by the client in the subsequent requests in order to identify the user. 服务器将使用auth_token进行响应,客户端将在随后的请求中使用它们来识别用户。 This token is going to be short-lived (eg set to expire in an hour). 该令牌将是短暂的(例如,设置为在一小时内到期)。
The auth_token is going to be assigned to a certain user_id and API key, so it couldn't be valid if used by another API key. auth_token将被分配给特定的user_id和API密钥,因此如果被另一个API密钥使用,则无效。
Step 3 第三步
Any subsequent request has to include API key, nonce, timestamp, auth_token and signature. 任何后续请求都必须包括API密钥,随机数,时间戳,auth_token和签名。 The nonce and the timestamp are used to filter out the replay attacks by the man in the middle while the encryption will be secured by SSL. 随机数和时间戳用于过滤中间人的重播攻击,而加密将通过SSL进行保护。
The downside of using a Javascript SPA is the fact that the code is public via console and therefore the private key might be discovered. 使用Java SPA的不利之处在于,该代码是通过控制台公开的,因此可能会发现私钥。 However, even if an attacker discovers and recreates the signature, any requests will not be valid without auth_token. 但是,即使攻击者发现并重新创建了签名,如果没有auth_token,任何请求都将无效。 Since the token is obtained in a secure HTTPS connection by calling https://api/sessions , the man in the middle cannot get hold of it. 由于令牌是通过调用https://api/sessions在安全的HTTPS连接中获取的,因此中间的人无法获取它。
We could add another layer of security by obfuscating the JS code, but this is security through obscurity. 我们可以通过混淆JS代码来增加另一层安全性,但这就是通过模糊性实现的安全性。
My question is: Is there a more secure way to handle the authentication process using a SPA JS client? 我的问题是:是否有使用SPA JS客户端处理身份验证过程的更安全方法?
Thanks! 谢谢!
1 个解决方案
解决方案1
1 2013-11-06 01:28:34
Consider using an Apigee proxy implementing OAuth. 考虑使用实现OAuth的Apigee代理。 Please see the following documentation: http://apigee.com/docs/api-platform/content/secure-calls-your-api-through-oauth-20-client-credentials . 请参阅以下文档: http : //apigee.com/docs/api-platform/content/secure-calls-your-api-through-oauth-20-client-credentials 。 An Apigee free trial account has this enabled. Apigee免费试用帐户已启用此功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.