堆栈内存溢出
  简体   繁体   English

我应该保护Web应用程序中的UI吗?

[英]Should I protect UI in web application?

 原文  2017-06-26 09:56:00       spring/ reactjs/ user-interface/ spring-boot/ ria

问题描述

We have a web application with Rich Client Architecture. 我们有一个带有Rich Client Architecture的Web应用程序。 We use React for our client side and Java/Spring for our back-end. 我们在客户端使用React,在后端使用Java / Spring。

Now the question is should login page be a part of our react program or not? 现在的问题是登录页面是否应该成为我们反应程序的一部分? As I know, if we do so, the downsides are: 据我所知,如果这样做的话,缺点是:

  • The UI is not protected and everyone, even those without any access, can download the whole UI app. 用户界面不受保护,每个人,即使是没有访问权限的人,都可以下载整个用户界面应用。
  • Everyone, even without access must download the whole UI application before logging in. 即使没有访问权限,每个人都必须在登录之前下载整个UI应用程序。

And the upsides are: 好处是:

  • The page need not to be refreshed when someone logeed in. 有人登录时无需刷新页面。
  • Front-end and back-end parts can be totally separated without any shared sessions. 前端和后端部分可以完全分开,而无需任何共享会话。

In most known apps such as gmail, slack, etc. the rich client app (angular, react, etc.) is just after logging in and I just don't know any application with the first approach. 在大多数已知的应用程序(例如gmail,slack等)中,富客户端应用程序(角度,响应等)仅在登录后出现,而我对第一种方法不了解任何应用程序。

1 个解决方案

解决方案1
 2  2017-06-26 10:05:54

  1. Frontend is generally not protected. 前端通常不受保护。 There are potential ways to make it harder to brake code, but it will be always possible. 有一些潜在的方法可以使代码更难破解,但是这将始终是可能的。
  2. Because of 1 -> you should not keep any sensitive data in frontend. 由于1->,因此您不应在前端保留任何敏感数据。
  3. As an secured way of transfering data from Spring backend to React(or any other like Angular,VueJS etc) you should probably use JWT or OAuth2. 作为将数据从Spring后端传输到React(或其他任何类似Angular,VueJS等)的安全方式,您可能应该使用JWT或OAuth2。
  4. You can decode your JWT on frontend (but only backend can verify if it is valid token so don't worry) to get encoded scopes,roles etc to use them eg to show admin only options. 您可以在前端解码您的JWT(但只有后端才能验证它是否为有效令牌,因此请放心)以获取编码范围,角色等以使用它们,例如显示仅管理员选项。
  5. To answer your question - login page definitely can be part of React app, as it will send login credentials and get back JWT from backend 要回答您的问题-登录页面绝对可以是React应用程序的一部分,因为它将发送登录凭据并从后端取回JWT
  6. When user is logged in - you will attach JWT in headers with every request, so your Spring Security can check it and authorize request. 用户登录后-您将在每个请求的标头中附加JWT,以便您的Spring Security可以检查它并授权请求。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何保护已经构建的Spring Web应用程序免受XSS和CSRF攻击? - How can I protect already built spring web application against XSS and CSRF attacks? 对于 Web 应用程序,我应该使用 Spring 云网关还是 Ngnix - Should I use Spring Cloud Gateway or Ngnix for Web application 我应该在Spring Web应用程序中的哪里放置图像 - where should i put image in spring web application Spring Boot Swagger UI - 保护 UI 访问 - Spring Boot Swagger UI - Protect UI Access 使用Spring MVC的UI应用程序用于Web浏览器,Android,iPhone设备 - UI Application using Spring MVC for web browser, android, iphone device Spring:如何组织应用程序+ Web上下文? - Spring: How should application+web contexts be organized? 我应该为GWT应用程序构建REST后端吗? - Should I build a REST backend for GWT application Java,用spring配置企业应用程序和Web应用程序:它们应该共享spring上下文吗? - Java, configure enterprise application and web application with spring: should they share the spring context? 如何设置Web应用程序的有效性? - How can I set validity of a Web Application? 我如何使用内部应用服务器开发Spring Web应用程序? - How i can develop spring web application with application server inside?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM