堆栈内存溢出
  简体   繁体   English

GoogleAppEngine Java WebService安全性

[英]GoogleAppEngine Java WebService security

 原文  2010-11-19 15:39:10       java/ web-services/ security/ google-app-engine

问题描述

I'm working on small game in Java(using JApplet) and I want to implement highscores and achievements. 我正在使用Java(使用JApplet)开发小型游戏,我想实现高分和成就。

I don't have dedicated server, so I decided to use GoogleAppEngine for storage of player data and after generation of highscores and achievements. 我没有专用的服务器,因此我决定使用GoogleAppEngine来存储玩家数据以及获得高分和成就。 I have already found out how to create WebServices on GoogleAppEngine, but I have a question regarding security... 我已经找到了如何在GoogleAppEngine上创建WebServices,但是我对安全性有疑问...

I don't want unathorized people to make calls to my WS... What kind of security I can implement to prevent other people to use this WS, only athorized client(which is my Applet) could post there. 我不希望未经授权的人员向我的WS打电话...为了防止其他人使用此WS,我可以实现哪种安全保护,只有经过培训的客户端(这是我的Applet)才能在此发布。

My Applet probably will be hosted on my personal web page and WS is going to run on GoogleAppEngine. 我的Applet可能将托管在我的个人网页上,而WS将在GoogleAppEngine上运行。

Thanks in advance, Serhiy. 预先感谢Serhiy。

1 个解决方案

解决方案1
 0 已采纳  2010-11-19 19:21:56

Because people aren't going to be hitting your GAE app directly, the google login and the user service might not be very effective... so you might want to look at more conventional security. 由于人们不会直接点击您的GAE应用程序,因此Google登录名和用户服务可能效果不佳...所以您可能希望了解更常规的安全性。

There's one way which is to sign all requests with a private key in the applet and check them up with the public key on the GAE. 一种方法是在小程序中使用私钥对所有请求进行签名,然后使用GAE上的公钥对其进行检查。 The problem with this way is that you'll have to keep the private key on the applet, which (I'm guessing) can be reverse engineered and stolen. 这种方式的问题是,您必须将私钥保留在applet上,而我认为这是可以反向工程和被盗的。

You could also explore using the cross domain security restrictions on applets... have the applet post back to the server from which it came and have that server communicate with GAE with signed requests. 您还可以探索对applet的跨域安全性限制...让applet回发到它所来自的服务器,并使该服务器与GAE进行签名请求的通信。

You could also look at using HTTP_REFERER based security - accepting only requests that originated from your host domain. 您还可以考虑使用基于HTTP_REFERER的安全性-仅接受源自您的主机域的请求。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 OutOfMemoryError:Java堆空间GoogleAppEngine - OutOfMemoryError: Java heap space GoogleAppEngine 有没有正确的方法来操纵GoogleAppEngine安全权限? - Is there a right way to manipulate GoogleAppEngine security permissions? 在JAVA EE6 Webservice中设置安全性 - Setting up security in JAVA EE6 Webservice Web服务安全 - Webservice security 无需外部提供程序的GoogleAppEngine Java Captcha - GoogleAppEngine Java Captcha without external providers 已签名的Java Applet在连接到Web服务时引发安全异常 - Signed Java Applet Throws Security Exception on Connect to a Webservice WCF客户端到Java Web服务的响应中获取消息安全性验证失败 - WCF client to java webservice getting Message security verification failed on responses 通过Java客户端访问由WS-Security保护的.NET WebService - Accessing .NET WebService secured by WS-Security via Java client NullPointerException-Java-WCF之上的Web服务客户端(使用WS-Security) - NullPointerException - Java - Webservice Client on top of WCF (using WS-Security) 从 java 调用 soap Web 服务,并在安全标头中使用随机数 - Calling a soap webservice from java with nonce in security headers
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM