泽西岛Web服务安全问题
[英]Jersey Web Services Security Question
问题描述
I am building a public facing REST application for clients to access. 
我正在构建一个面向公众的REST应用程序,供客户访问。 In trying to develop security for it, I looked at how AWS handles their REST authentication using an access key and secret key to sign the message before sending to the AWS server. 在尝试为其开发安全性时,我研究了AWS如何使用访问密钥和密钥在发送到AWS服务器之前对其进行签名处理其REST身份验证。 So I coded an example with Jersey, JSP, and javascript (jsonp) to test, and it seems to work ok. 所以我编写了一个用Jersey,JSP和javascript(jsonp)来测试的例子,它似乎工作正常。
1.) On page load the JSP takes the client's access key and date/time (converted to EPOCH) and writes out to the page. 1.)在页面加载时,JSP获取客户端的访问密钥和日期/时间(转换为EPOCH)并写入页面。 It also takes those two pieces of information and combines them with the client's unique secret key via HMAC-SHA1. 它还需要这两条信息,并通过HMAC-SHA1将它们与客户端的唯一密钥组合在一起。
2.) When I execute the JQuery ajax request, I pass in all three pieces of information. 2.)当我执行JQuery ajax请求时,我传递了所有三条信息。
- user access key 用户访问密钥
- date/time (EPOCH) 日期/时间(EPOCH)
- signed message 签名的消息
3.) On the Jersey side I take the access key and date/time and check a database for the users secret key. 3.)在Jersey端,我获取访问密钥和日期/时间,并检查数据库中的用户密钥。 Then I perform my own HMAC-SHA1 signature and compare that to the signed message from the user submitted signed message. 然后,我执行自己的HMAC-SHA1签名,并将其与用户提交的签名消息中的签名消息进行比较。 If they match, then allow them to use our web service. 如果匹配,则允许他们使用我们的Web服务。 I also check the date/time and only accept messages signed within the last 15 minutes. 我还检查日期/时间,只接受过去15分钟内签名的邮件。
My question is, is this secure enough? 我的问题是,这足够安全吗?
1 个解决方案
解决方案1
0 已采纳 2011-06-16 01:12:45
This isn't a complete answer, but I don't have the points to just comment quite yet. 这不是一个完整的答案,但我还没有意见,只是评论。 I would add to your security a salt on the server side. 我会在服务器端为您的安全添加一个盐。 Please see this article for a good discussion on hashing using Master Keys and salts. 有关使用主密钥和盐进行散列的详细讨论,请参阅此文章 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.