谷歌应用引擎云终端安全性
[英]google app engine cloud endpoint security
问题描述
I am starting a new project and using javascript based UI as fronted and google cloud endpoints backed by google datastore for data storage. 
我正在开始一个新项目,并使用基于javascript的UI作为前端,并使用由Google数据存储支持的google cloud端点进行数据存储。
I don't need to use any of the google services for user login etc. In other words, i will have my own table to store username, pwd and other profile info. 我不需要使用任何Google服务进行用户登录等。换句话说,我将拥有自己的表格来存储用户名,密码和其他个人资料信息。
So, the questions are: 1. How will my service based frontend will hold the session? 因此,问题是:1.我的基于服务的前端将如何举行会话? 2. How will it understand that requests are going for which user account to return user specific data? 2.如何理解请求针对哪个用户帐户返回用户特定数据的请求?
Also to start with, I have so far created an endpoint which basically returns true or false on passing username to it. 同样从头开始,到目前为止,我已经创建了一个端点,该端点在将用户名传递给它时基本上返回true或false。 (just to mimic valid user or not). (无论是否模仿有效用户)。
The question is do i really need to configure any security to invoke this api from the javascript client i have? 问题是我是否真的需要配置任何安全性才能从我拥有的javascript客户端调用此api?
2 个解决方案
解决方案1
1 2016-04-22 05:55:15
Even if you want to use custom usernames and passwords, you'll need more than just a process to send and retrieve this data from your endpoint. 即使您要使用自定义的用户名和密码,您也将需要不仅仅是从端点发送和检索此数据的过程。
Consider using something that's there already. 考虑使用已经存在的东西。 Eg webapp2 has a basic auth module which allows you to have your own database with usernames and passwords but already has many required security measures in place. 例如,webapp2有一个基本的身份验证模块,该模块允许您使用用户名和密码创建自己的数据库,但已经采取了许多必要的安全措施。
A tutorial I've used to implement this in the past: https://blog.abahgat.com/2013/01/07/user-authentication-with-webapp2-on-google-app-engine/ 我过去曾用来实现此目标的教程: https : //blog.abahgat.com/2013/01/07/user-authentication-with-webapp2-on-google-app-engine/
解决方案2
1 2016-04-23 06:38:44
So the basic answer is Google Cloud Endpoints is best suited for applications which users google accounts as authentication mechanism. 因此,基本的答案是Google Cloud Endpoints最适合使用用户google帐户作为身份验证机制的应用程序。
So if you are using cloud endpoints, and wanted to have custom authentication mechanism, you have to create your own. 因此,如果您使用的是云端点,并且想要具有自定义身份验证机制,则必须创建自己的身份验证机制。
How will my service based frontend will hold the session? 我的基于服务的前端将如何举行会议?
Upon successful authentication (by any form either user credentials, third party social login etc), you need to setup session for that user eg; 成功认证后(通过任何形式的用户凭据,第三方社交登录等),您需要为该用户设置会话;例如; by using session cookies. 通过使用会话cookie。
How will it understand that requests are going for which user account to return user specific data? 如何理解请求将针对哪个用户帐户返回用户特定数据?
Cloud Endpoint cannot tell that, so you have to write an custom filter or interceptor to check if valid session or cookie exists and either reject or continue the request. Cloud Endpoint无法告知您,因此您必须编写自定义过滤器或拦截器以检查是否存在有效的会话或cookie,然后拒绝或继续该请求。
To pass the current authenticated user who is requesting the api, you need to inject the user informations somehow (using DI, or request properties etc) into the ApiEndpoints, so with that you can process the request accordingly 要传递请求api的当前经过身份验证的用户,您需要以某种方式(使用DI或请求属性等)将用户信息注入ApiEndpoints,以便可以相应地处理请求
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.