通过(稳定)Web服务发送邮件的安全方式
[英]Secure way to send a mail via a (Restful) Webservice
问题描述
I have a AngularJS Webapplication with Java Backend. 
我有一个带有Java后端的AngularJS Web应用程序。
Now i want to send a mail out of the Angular Application. 现在我想从Angular Application发送邮件。 I thought the best way is to send a post or get request to the webservice and send the Mail via an internal smtp server to the recipient. 我认为最好的方法是将帖子发送或获取请求到Web服务,并通过内部smtp服务器将邮件发送给收件人。
But i think there is a big security problem with this concept. 但是我认为这个概念存在很大的安全性问题。 When i create a webservice call like: /api/mail?mailto=john@doe.com someone can take the link to the webservice, change the recipient and take this link to start spamming to other people. 当我创建一个Web服务呼叫时,例如:/ /api/mail?mailto=john@doe.com有人可以获取该Web服务的链接,更改接收者,并使用此链接开始向其他人发送垃圾邮件。
Do someone know a secure way for this architecture to send a mail via a webservice? 有人知道这种体系结构通过Web服务发送邮件的安全方法吗? It is necessary that i have to pass the recipient to the mail service, because the user set this in the AngularJS UI. 我必须将收件人传递给邮件服务,因为用户在AngularJS UI中进行了设置。
I am happy about any suggestion. 我对任何建议都很满意。
2 个解决方案
解决方案1
0 2017-09-20 07:13:14
Here are the security measures you should take for securing your rest api. 这是您应采取的安全措施,以保护您的Rest API。 REST Security Cheat Sheet Here is the list of security measures you should take for your rest API. REST安全备忘单这是您应该为其余API采取的安全措施的列表。
- HTTPS HTTPS
- Access Control - For access control, you can API keys, OAuth, etc. take a look at this article https://stormpath.com/blog/secure-your-rest-api-right-way 访问控制 -对于访问控制,您可以使用API密钥,OAuth等。请参阅本文https://stormpath.com/blog/secure-your-rest-api-right-way
- Restrict HTTP methods - Can be handled in controller. 限制HTTP方法 -可以在控制器中处理。
- Security headers - Use proper security header to prevent CORS, CSRF attack. 安全标头 -使用适当的安全标头可防止CORS,CSRF攻击。 ( The attack you specified in your question ). ( 您在问题中指定的攻击 )。 Have look in this article https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html . 看一下本文https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html 。
- Pass Sensitive information in HTTP POST request 在HTTP POST请求中传递敏感信息
If you use spring-security you will be covered in most of this. 如果您使用spring-security,那么大部分内容都将涵盖其中。
解决方案2
0 2017-09-21 22:39:36
Use Mailgun . 使用Mailgun 。 You can send 10,000 emails for free you can call the API via your Java backend, like so: 您可以免费发送10,000封电子邮件,也可以通过Java后端调用API,如下所示:
public static ClientResponse SendSimpleMessage() {
Client client = Client.create();
client.addFilter(new HTTPBasicAuthFilter(
"api","key-3ax6xnjp29jd6fds4gc373sgvjxteol0"));
WebResource webResource = client.resource(
"https://api.mailgun.net/v3/samples.mailgun.org/messages");
MultivaluedMapImpl formData = new MultivaluedMapImpl();
formData.add("from", "Excited User <excited@samples.mailgun.org>");
formData.add("to", "john@doe.com");
formData.add("subject", "Hello");
formData.add("text", "Testing some Mailgun awesomeness!");
return webResource.type(MediaType.APPLICATION_FORM_URLENCODED).
post(ClientResponse.class, formData);
}
This would be more secure than your implementation. 这将比您的实现更安全。 I would also send the email address from the Angular client to your Java backend as a POST. 我还要将Angular客户端的电子邮件地址作为POST发送到您的Java后端。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.