无需登录即可使用spring boot和angular 8保护应用程序的方法是什么?
[英]Which is the way to secure app using spring boot and angular 8 without login?
问题描述
I want to secure the application which is using angular 8 and spring boot 5 but it is a free form and does not need login to access the UI.
我想保护使用 angular 8 和 spring boot 5 的应用程序,但它是一种自由形式,不需要登录即可访问 UI。 I have secured it using CSRF protection but any one can easily access POST endpoint by passing CSRF token in the request header which can be available from GET rest end point.我已经使用 CSRF 保护来保护它,但是任何人都可以通过在请求标头中传递 CSRF 令牌来轻松访问 POST 端点,该令牌可以从 GET 其余端点获得。 So I need any good solution to implement security so that by spring rest end points should not be accessible other than angular pages in the project.所以我需要任何好的解决方案来实现安全性,这样除了项目中的角度页面之外,Spring 的其余端点不应该被访问。 Can anyone please help me.谁能帮帮我吗。
2 个解决方案
解决方案1
1 2020-03-03 12:11:11
In short, no.简而言之,没有。
You have ways of hiding requests by hitting endpoints that process your request, but since you start, consider you can't.您可以通过点击处理您的请求的端点来隐藏请求,但是从您开始,请考虑您不能。
Let me explain further : JavaScript runs in the client's browser.让我进一步解释一下:JavaScript 在客户端的浏览器中运行。 It means the client has full access to your front-end code : if he wants, he can completely break down your application.这意味着客户可以完全访问您的前端代码:如果他愿意,他可以完全分解您的应用程序。
The plus side is that it can only be broken on his own computer : the client can't mess with another client's browser.好的一面是它只能在他自己的计算机上被破坏:客户端不能与其他客户端的浏览器混淆。
On the other side, your server can be accessed by anything, but you're the one that has master control on it : you should secure it.另一方面,你的服务器可以被任何东西访问,但你是拥有主控制权的人:你应该保护它。
To do that, as you said, you can use JWT.为此,正如您所说,您可以使用 JWT。 But JWT is an authentication process, which is basically an encoded string.但是 JWT 是一个认证过程,基本上是一个编码的字符串。 By decoding it, you can get client information, but they aren't fetch from the DB, they are fetch from the token itself.通过解码它,您可以获得客户端信息,但它们不是从数据库中获取,而是从令牌本身中获取。
If you want to secure your endpoints, you could for instance state that only the user with the ID provided by the token can access your endpoint : tokens can't be forged without the signature.如果您想保护您的端点,例如您可以声明只有具有令牌提供的 ID 的用户才能访问您的端点:没有签名就无法伪造令牌。 This would secure your endpoint and prevent other users from making modifications.这将保护您的端点并防止其他用户进行修改。
Consider making another question with the tags corresponding to your back end language, which will be way more helpful than asking for an Angular solution.考虑使用与您的后端语言对应的标签提出另一个问题,这比要求 Angular 解决方案更有帮助。
解决方案2
0 2021-11-30 17:53:56
您是否考虑过将与浏览器 IP 相关的令牌的服务器端渲染嵌入到 Angular 中?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.