堆栈内存溢出
  简体   繁体   English

无状态模式如何影响Play中的安全性!框架?

[英]How does stateless mode affect security in the Play! framework?

 原文  2011-09-10 17:25:30       security/ playframework

问题描述

Stateless operation mode in the Play! Play中的无状态操作模式! framework is said to be less secure than stateful mode. 据说框架不如有状态模式安全。 How does it affect Play framework in general and is it possible to improve the security drawbacks for critical public web applications? 它如何影响Play框架,是否有可能改善关键公共Web应用程序的安全性缺陷?

2 个解决方案

解决方案1
 6  2011-09-10 20:11:09

First of all, you say that stateless is less secure? 首先,你说无国籍人不太安全吗? Do you have any specific reason why you believe this is the case? 你有什么特别的理由认为是这种情况吗?

The idea of a stateless model, is that you do not store data in a session needlessly, server side, which results in you having to continue the 'session chat' on that same server for the duration of the session. 无状态模型的想法是,您不会在服务器端不必要地将数据存储在会话中,这导致您必须在会话期间在同一服务器上继续“会话聊天”。

If you want to mimic a J2EE Session, then you can simply use the session.id and store all state in a database, and delete at the end of the session. 如果要模仿J2EE会话,则只需使用session.id并将所有状态存储在数据库中,并在会话结束时删除。

The session cookie itself is signed, so it cannot be tampered with, so there is no concern that someone can hijack the session id, but if you are particularly worried, then you can simply store your own identifier in the session cookie, and encrypt it with the Crypto utility class that uses the application's secret key to encrpyt/decrypt data. 会话cookie本身已签名,因此无法被篡改,因此无需担心有人可以劫持会话ID,但如果您特别担心,那么您只需将自己的标识符存储在会话cookie中,然后对其进行加密即可。使用Crypto实用程序类,它使用应用程序的密钥来加密/解密数据。

Stateless is just a change of mindset, and as long as you do not store data needlessly in the session (which is probably where you are coming from), then you should have very little to worry about. 无状态只是心态的改变,只要你不会在会话中不必要地存储数据(这可能就是你来自哪里),那么你应该很少担心。

解决方案2
 0  2011-10-11 17:46:39

Its not that play's stateless model is less secure it just that there is no decent Java Security libraries out there that can rival the likes of Spring Security. 它并不是那个游戏的无状态模型不那么安全,只是没有像这样的可以与Spring Security相媲美的Java安全库。

The security modules available for play at the moment at pretty basic, and don't provide a third of the functionality of Spring Security. 安全模块目前可用于非常基本的,并且不提供Spring Security的三分之一功能。

Until a security module is developed that rivals the like of Spring Security, I'm afraid there is no way play will have legs in the enterprise application world. 在开发出与Spring Security类似的安全模块之前,我担心在企业应用程序世界中游戏无法发挥作用。 At the moment it's fine for a simple blog application. 目前,对于简单的博客应用程序来说这很好。

It's just a pity Spring Security has a dependency on Spring and the servlet API. 很可惜Spring Security依赖于Spring和servlet API。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 HTTPS 如何影响缓存和安全性? - How does HTTPS affect caching and security? Laravel Socialite 处于“无国籍”模式——安全隐患? - Laravel Socialite in "stateless" mode -- security implications? $ _SESSION`中的键命名是否会影响安全性? - Does the naming of keys in `$_SESSION` affect security? Groovy安全漏洞会影响Grails应用程序吗? - Does Groovy security flaw affect Grails apps? opencart的安全性问题会影响Paypal的安全性吗? - Does opencart's security issues affect Paypal's layer of security? 无状态令牌验证安全 - Stateless Token Auth security 在播放框架配置中添加安全标头 - Adding security headers in play framework configuration 播放有关cookie和会话的框架安全问题 - Play framework security issue regarding cookies and sessions JWT,无状态身份验证和安全性 - JWT, Stateless Authentication, and Security macOS内核如何验证Security.framework的完整性? - How does macOS kernel verify the integrity of Security.framework?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM