防止通过浏览器直接访问图像/pdf,但只允许通过 android 应用程序访问
[英]Prevent direct access to images/pdfs through browser but only allow access through android app
问题描述
I am trying to show images in an Android App which are stored on a Webserver.
我正在尝试在存储在 Web 服务器上的 Android 应用程序中显示图像。 The images should not be available over a direct link in the webbrowser.图像不应通过网络浏览器中的直接链接提供。 The image name is a random generated hash string.图像名称是随机生成的哈希字符串。 It should only be accessible in the Android App.它应该只能在 Android 应用程序中访问。
Is there a was to protect the Image from access through the webbrowser or other access except from the Android App?是否有必要保护图像免于通过网络浏览器或除 Android 应用程序之外的其他访问进行访问? I did some research, but did not find a good solution.我做了一些研究,但没有找到好的解决方案。
1 个解决方案
解决方案1
0 2021-10-29 04:51:07
You can make it slightly harder, you can't make it impossible.你可以让它稍微难一点,你不能让它变得不可能。 In the end, there's no way to know whether an incoming request is actually coming from a particular app, or if its coming from something pretending to be a particular app.最后,没有办法知道传入的请求是否真的来自特定的应用程序,或者它是否来自伪装成特定应用程序的东西。 The two look identical.两人长得一模一样。 There are two things you can do however:但是,您可以做两件事:
1)You can make sure its sent by an authorized user. 1)您可以确保它是由授权用户发送的。 Basically the user has some secret that he tells to the server and the server checks that secret is valid and if so allows access (and if not returns an 404 or some other error).基本上,用户有一些他告诉服务器的秘密,服务器检查该秘密是否有效,如果是,则允许访问(如果不是,则返回 404 或其他一些错误)。 This is your basic login type system (the exact implementation tends to be a bit more involved, I'm simplifying).这是您的基本登录类型系统(确切的实现往往涉及更多,我正在简化)。 But if you do this you can't be sure it isn't someone with an account accessing through the app or through a web browser or tool like curl.但是如果你这样做,你就不能确定它不是通过应用程序或通过网络浏览器或像 curl 这样的工具访问的帐户的人。 All you know is that the person has permission.你只知道这个人有权限。
2)You can put that secret into the app itself, and send it as a header with every request. 2)您可以将该秘密放入应用程序本身,并将其作为每个请求的标头发送。 This is trivially hacked to get the secret, but 99% of people wouldn't bother to.这很容易被黑客入侵以获取秘密,但 99% 的人不会费心。 It's a speed bump to anyone who wants the data that would take a skilled hacker 10 minutes to break.对于任何想要一个熟练的黑客需要 10 分钟才能破解的数据的人来说,这是一个减速带。
Neither of these do what you want.这些都不做你想做的。 #2 has the advantage of keeping out casual web crawlers without requiring much effort. #2 的优势在于无需太多努力即可阻止随意的网络爬虫。 #1 has the advantage of actually securing it to authorized individuals. #1 的优势在于可以将其实际保护给授权的个人。 Depending on what you need either can be a "eh, good enough" type solution.根据您的需要,可以是“嗯,足够好”类型的解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.