保护Flex-BlazeDS应用程序的最佳方法是什么?
[英]What's the best way to secure a Flex-BlazeDS application?
问题描述
What's the best way to secure a Flex-BlazeDS application? 
保护Flex-BlazeDS应用程序的最佳方法是什么? I've googled it an several solutions came up. 我用google搜索了几个解决方案。
UPDATE after question from jsight: 来自jsight的问题后更新:
- Flex would login, so on the RemoteObject I'll set Credentials Flex会登录,所以在RemoteObject上我会设置Credentials
- I don't know if there comes authentication and authorization with BlazeDS (WebORB for instance does and WebORB looked at BlazeDS for their product) 我不知道是否有使用BlazeDS的身份验证和授权(例如WebORB,WebORB查看了BlazeDS的产品)
- SSL not needed 不需要SSL
- I've seen some links on the internet talking about spring security, so I'll check that out. 我在互联网上看到一些关于弹簧安全性的链接,所以我会检查出来。
Authentication will be done by comparing user login with password to database. 验证将通过将用户登录与密码与数据库进行比较来完成。
1 个解决方案
解决方案1
4 已采纳 2010-02-24 20:46:17
My 2 cents: 我的2美分:
- We a have a Flex application and our login screen is part of the Flex application. 我们有一个Flex应用程序,我们的登录屏幕是Flex应用程序的一部分。 We don't use SSL but you may define a secure channel if you need it (but you don't); 我们不使用SSL,但如果需要,您可以定义一个安全通道(但是您没有);
- We created our own instance of the adapter class on the server (that extends the one that comes with BlazeDS). 我们在服务器上创建了自己的适配器类实例(扩展了BlazeDS附带的实例)。 The idea is that this class would check if the session for which that request belongs to has an authenticated user or not. 我们的想法是,该类将检查该请求所属的会话是否具有经过身份验证的用户。 In the Flex methods/ classes (on the Java side), we used annotations to inform the adapter class about requirements that must be satisfied in order for that method to be called - we call these annotations "FlexService" (for the class) and "FlexMethod" (for a method); 在Flex方法/类中(在Java端),我们使用注释来通知适配器类有关为了调用该方法必须满足的要求 - 我们称这些注释为“FlexService”(对于类)和“ FlexMethod“(用于方法);
- The main reason behind this is to avoid a method from being called if the user has not been authenticated before, and we want more granular control than just "block everybody". 这背后的主要原因是如果用户之前未经过身份验证,则避免调用方法,并且我们需要更精细的控制而不仅仅是“阻止所有人”。 We have licensing requirements and this library is also responsible for checking if the user has a license and if that license still valid for each request. 我们有许可要求,此库还负责检查用户是否拥有许可证以及该许可证是否仍对每个请求有效。
- The main reason behind this is to avoid a method from being called if the user has not been authenticated before, and we want more granular control than just "block everybody".
- Remember to hash your password before saving it to the database, and compare the hash only. 请记住在将密码保存到数据库之前对其进行哈希处理,并仅比较哈希值。 You could hash it one time in the Flex client (so the open password is never sent to the server), and hash the hashed value again before saving it to the database (so that if someone obtain your database hashed passwords, he still cannot hack into your system because he won't have the original hashed value that was sent from the Flex client). 您可以在Flex客户端中对其进行一次哈希(因此打开的密码永远不会发送到服务器),并在将其保存到数据库之前再次散列哈希值(这样,如果有人获取您的数据库哈希密码,他仍然无法破解进入您的系统,因为他没有从Flex客户端发送的原始哈希值)。
I am pretty sure I will get some downvotes if BlazeDS implements all of the above, but I didn't like what I found that was native to it, and I thought that using annotations was a good solution, especially because we were using annotations anyway to mark the methods that were BlazeDS methods (so IntelliJ would stop bothering us about methods that are not called anywhere). 我很确定如果BlazeDS实现上述所有内容,我会得到一些downvotes,但我不喜欢我发现它本身的东西,我认为使用注释是一个很好的解决方案,特别是因为我们无论如何都在使用注释标记BlazeDS方法的方法(因此IntelliJ会停止打扰我们关于任何地方都没有调用的方法)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.