堆栈内存溢出
  简体   繁体   English

使用带有JWT的Symfony 3 API REST和Angular webapp的CSRF令牌保护是否有用?

[英]Is it useful to use CSRF token protection for Symfony 3 API REST and Angular webapp with JWT?

 原文  2017-02-15 10:02:21       rest/ angular/ symfony

问题描述

We are building a Angular 2 web app based on a Symfony 3 REST API (with FosRestBundle). 我们正在构建一个基于Symfony 3 REST API(带有FosRestBundle)的Angular 2 Web应用程序。 We are using statefull JWTs to authenticate users between the backend and the frontend. 我们使用有状态JWT来验证后端和前端之间的用户。

We are now currently thinking about CSRF and we're wondering if it's right to use CSRF token in addition to JWT. 我们现在正在考虑CSRF,我们想知道除了JWT之外是否使用CSRF令牌是正确的。 We read that in the FosRestBundle documentation : 我们在FosRestBundle文档读到

When building a single application that should handle forms both via HTML forms as well as via a REST API, one runs into a problem with CSRF token validation. 在构建应该通过HTML表单以及REST API处理表单的单个应用程序时,会遇到CSRF令牌验证问题。 In most cases it is necessary to enable them for HTML forms, but it makes no sense to use them for a REST API. 在大多数情况下,有必要为HTML表单启用它们,但将它们用于REST API是没有意义的。 For this reason there is a form extension to disable CSRF validation for users with a specific role. 出于这个原因,有一个表单扩展来禁用具有特定角色的用户的CSRF验证。 This of course requires that REST API users authenticate themselves and get a special role assigned. 这当然要求REST API用户对自己进行身份验证并分配特殊角色。

And we read some other StackOverflow questions about that too (see here and here for example). 我们也阅读了其他一些StackOverflow问题(参见此处此处 )。

My question is quite simple: why is it not recommended to use CSRF tokens with REST APIs? 我的问题很简单: 为什么不推荐使用带有REST API的CSRF令牌? We do not understand how the JWTs can protect for CSRF attacks. 我们不了解JWT如何保护CSRF攻击。

Thanks :-) 谢谢 :-)

1 个解决方案

解决方案1
 3 已采纳  2017-02-15 11:01:38

First of all, "stateful JWT" is an oxymoron. 首先,“有状态的JWT”是矛盾的。 To quote the introduction to JWT : 引用JWT的介绍

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. 每当用户想要访问受保护的路由或资源时,用户代理应该使用承载模式发送JWT,通常在Authorization标头中。 The content of the header should look like the following: 标题的内容应如下所示:

Authorization: Bearer <token>

This is a stateless authentication mechanism as the user state is never saved in server memory . 这是一种无状态身份验证机制,因为用户状态永远不会保存在服务器内存中 The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources. 服务器的受保护路由将在Authorization标头中检查有效的JWT,如果存在,则允许用户访问受保护的资源。

Authentication with JWT, if done properly, renders CSRF tokens obsolete. 使用JWT进行身份验证,如果操作正确,则会使CSRF令牌过时。 This is because CSRF attacks rely on browsers storing your cookies, and sending them with each request to the server. 这是因为CSRF攻击依赖于存储cookie的浏览器,并将每个请求发送给服务器。 However, when clicking a button in a forged form that triggers a POST request, this request will never contain the Authorization header, so it will be treated by the server as unauthorized. 但是,当单击触发POST请求的伪造表单中的按钮时,此请求将永远不会包含Authorization标头,因此服务器将其视为未经授权。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 CSRF 保护与 Angular + Spring 引导 + REST + Z1D1FADBD9150349C135781140FFFEE - CSRF protection with Angular + Spring Boot + REST + JWT 使用REST API进行Laravel CSRF保护 - Laravel CSRF protection with REST API rest api 中的 CSRF 令牌 - CSRF token in rest api 具有 CSRF 和 XSS 保护的无状态 REST API - Stateless REST API with CSRF and XSS protection 用于移动设备的REST Web API-CSRF保护? - REST web API for mobile devices - CSRF protection? 在Python REST API中实现CSRF保护 - Implementing CSRF protection in a Python REST API 带有身份验证的 REST API 中的 CSRF 令牌 - CSRF Token in REST API with authentication 在公共 REST 上下文中处理 symfony 表单中的 CSRF 令牌 - handling the The CSRF token in symfony's forms when in public REST context Symfony 3 CSRF令牌 - Symfony 3 csrf token 基于REST API JWT令牌的身份验证安全性 拉拉韦尔/丁戈/ jwt - Rest API JWT token based authentication security | laravel/dingo/jwt
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM