堆栈内存溢出
  简体   繁体   English

使用安全连接登录Django Web服务

[英]Login to Django web service using a secure connection

 原文  2014-01-13 10:52:59       ios/ django/ web-services/ security/ password-protection

问题描述

I have wrote a simple Django web service that provides an iOS app with JSON information containing download links. 我编写了一个简单的Django Web服务,该服务为iOS应用提供了包含下载链接的JSON信息。 I don't mind the JSON information to be clear text, but when the user logs in, I would like him to login with his username and password, then he would probably get some kind of key for future requests which I understand that can be sniffed out. 我不介意JSON信息是纯文本,但是当用户登录时,我希望他使用他的用户名和密码登录,那么他可能会为将来的请求获得某种密钥,据我了解,这可能是嗅出。 For that first interaction, how could I protect the password and username from being clear text and sniffed? 对于第一次交互,我如何保护密码和用户名不被明文窃听?

I have decided I wanted to use a symmetric encryption to encrypt my password and have that key both on client and on server. 我已经决定要使用对称加密来加密我的密码,并在客户端和服务器上都具有该密钥。 (yes, I am aware that if someone goes to the trouble of binary hacking my app and sniffing packets from a customer he would be able to get the password in clear text, it's just not a likely concern). (是的,我知道,如果有人遇到二进制攻击我的应用程序并从客户那里嗅探到数据包的麻烦,那么他就能够以明文形式获取密码,这根本就不用担心)。

I would like to use some kind of encryption that I can easily do in iOS and than decrypt in my django server. 我想使用一种可以在iOS中轻松完成的加密,而不是在django服务器中进行解密。 anyone has a suggestion on how to do that? 有人对此有建议吗?

2 个解决方案

解决方案1
 0  2014-01-13 11:32:05

If you want to encrypt the communication between your django server and the client then you can use secure HTTP rather than plain old HTTP. 如果要加密django服务器和客户端之间的通信,则可以使用安全的HTTP,而不是普通的旧HTTP。 This is done outside django, and is configured at the web server level. 这是在Django外部完成的,并在Web服务器级别进行了配置。 For example, if your django app is ran by a WSGI server like gunicorn or uWSGI which in return is handled by nginx (this is a common setup) then you would configure your nginx server to accept only secure HTTP requests and forward any standard http request to https. 例如,如果您的django应用是由诸如gunicorn或uWSGI之类的WSGI服务器运行的,而这又是由nginx处理的(这是一种常见设置),那么您可以将nginx服务器配置为仅接受安全的HTTP请求并转发任何标准的HTTP请求到https。 This way you can ensure that everything the client sends to the server is encrypted on the browser prior to sending. 这样,您可以确保客户端发送到服务器的所有内容在发送之前都已在浏览器上进行了加密。 Similar setup is done with Apache, though I personally have never used Apache with django. 尽管我个人从未将Apache与django一起使用,但使用Apache进行了类似的设置。

解决方案2
 0  2014-01-13 15:58:09

由于OP认为HTTPS并非可行的选择,因此可以选择对CHAP 质询握手身份验证协议进行修改以用于初始密钥创建。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在不登录的情况下保护Web服务 - How To Secure Web Service Without Login 如何为Facebook登录使用令牌化来保护Web服务方法? - How to secure web service methods using tokenization for Facebook logins? 如何通过php Web服务成功登录 - How to successfully login using by php web service 使用Bonjour进行安全连接 - Secure connection using bonjour 连接到MSSQL数据库以在目标C中安全登录 - Connection to MSSQL database for secure login in Objective C 如何使用php Web服务成功登录并移至另一个视图 - How to successfully login and move to another view using php web service 使用移动应用程序登录到Web服务 - Login in to a Web Service with Mobile App 使用cookie的iOS Web服务登录 - iOS web service login with cookie 如何使用移动应用程序中的Facebook登录名或Google+登录名从Android或iPhone应用程序向我的Web服务进行安全注册 - How to do a secure register from my Android or iPhone app to my web services, using Facebook Login or Google+ Login in my mobile App 如何使用活动指示器进行Web服务登录 - How to use an activity indicator for web service login
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM