如何防止来自服务器的响应被用户修改?
[英]How to prevent response from the server modify by users?
问题描述
I have built a system using spring, java and angular.
我已经使用 spring、java 和 angular 构建了一个系统。 When the user successfully login to the system, the back-end will fetch the list of roles for the particular user.当用户成功登录系统时,后端将获取特定用户的角色列表。 Then, I realized that the response from the server can be modified before it reaches the user.然后,我意识到可以在到达用户之前修改来自服务器的响应。 Thus, it is possible for the user to add more roles for themselves and perform illegal actions.因此,用户可以为自己添加更多角色并执行非法操作。
For example: User A supposed to have the role to view the data only.例如:用户 A 应该具有仅查看数据的角色。 But when the API called the back-end to fetch the roles, the user intercepts the response from the server and add modify role to himself.但是当 API 调用后端获取角色时,用户会拦截来自服务器的响应并为自己添加修改角色。 Now the user is able to see the modify button and start to modify something.现在用户可以看到修改按钮并开始修改某些内容。
Is there any way to prevent this scenario happens?有什么办法可以防止这种情况发生吗?
1 个解决方案
解决方案1
0 2021-07-12 15:56:28
Keeping the backend checking the user role in each request.保持后端检查每个请求中的用户角色。 I mean, if your user a request an action (with modified role) you always check if user has a valid token and if their role (saved on your db) is correct to do it.我的意思是,如果您的用户请求一个操作(具有修改的角色),您总是检查用户是否具有有效的令牌以及他们的角色(保存在您的数据库中)是否正确执行此操作。 This way does not matter that user send to you, you always confirm if the action is allowed or not.这种方式与用户发送给您无关,您始终确认该操作是否被允许。
In this case the only way to do some illegal is having othe user access token, but this is another security issue.在这种情况下,做一些非法的唯一方法是拥有其他用户访问令牌,但这是另一个安全问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.