[英]Can one use Ajax on Google App Engine as a logged in user over https from a non-appspot.com domain?
Suppose: 假设:
Given that Google's Appspot HTTPS support only works for https://example.appspot.com (ie you cannot set up https://www.example.com with GAE), I'd like to have an Ajax solution, namely: 鉴于Google的Appspot HTTPS支持仅适用于https://example.appspot.com (即您无法使用GAE设置https://www.example.com ),我希望有一个Ajax解决方案,即:
My question/concern is: How does one ensure that the users logged into http://www.example.com (by way of Google's users API ) pass their authentication credentials over Ajax to https://example.appspot.com ? 我的问题是:如何确保登录http://www.example.com的用户(通过Google的用户API )通过Ajax将身份验证凭据传递给https://example.appspot.com ?
This seems to be a violation of the same origin policy (which may or may not be a concern for the Google Users API), so how would one know what user is logged in to example.com for the Ajax requests to example.appspot.com? 这似乎违反了相同的原始政策(可能是也可能不是谷歌用户API的关注),因此如何知道用户登录到example.com以获取对example.appspot的Ajax请求。 COM?
Thoughts, comments and input is quite appreciated. 非常感谢思考,评论和意见。
Thank you. 谢谢。
Brian 布赖恩
当两个站点合作时,有很多方法可以解决同源问题,例如,请参阅此帖子 ,但只有反复试验才能揭示哪些技术可以满足您的特定要求(这可能取决于用户设置安全保护措施的严格程度)他们的浏览器,以及服务器端实现)。
Wouldn't it be far simpler to use frames? 使用框架不是更简单吗? Serve up a single full-size frameset from yourdomain.com containing content from https://yourapp.appspot.com/ .
从yourdomain.com提供包含https://yourapp.appspot.com/内容的单个全尺寸框架集。
Note, though, that either solution has the problem that users see an unsecured site, not a secured one. 但请注意, 任一解决方案都存在用户看到不安全站点而非安全站点的问题。
example.appspot.com does not share any cookies with example.com - it will be impossible for you to identify the user without making them sign-in on example.appspot.com as well. example.appspot.com不与example.com共享任何cookie - 如果没有让他们在example.appspot.com上登录,你也无法识别用户。
you could, of course, completely ditch Google Authentication on example.appspot.com and implement your own scheme; 当然,你可以在example.appspot.com上彻底抛弃Google身份验证并实现自己的方案; you could append a signature and the username to the AJAX requests you create and verify that signature on your app-engine app.
您可以在您创建的AJAX请求中附加签名和用户名,并在您的应用引擎应用上验证该签名。 if the signature is valid, just accept the user that was passed in as the authenticated user and pretend he logged in.
如果签名有效,只需接受作为经过身份验证的用户传入的用户并假装他已登录。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.