保护javascript前端/ REST后端架构网站的最佳方法?
[英]Best way to secure javascript front end/REST back end architecture web site?
问题描述
I would like to build the following project: 
我想构建以下项目:
- public REST API back end which can be accessed by any authenticated client 公共REST API后端,可由任何经过身份验证的客户端访问
- front end with static files in HTML/CSS/Javascript with Backbone.js jQuery calls to the REST back end 带有Backbone.js的HTML / CSS / Javascript中的静态文件的前端jQuery调用REST后端
In fact, there are three parties in my architecture : the front end, which is a client of the back end, the back end and the user which wants to authenticate on the front end login page. 事实上,我的架构中有三方:前端,后端的客户端,后端和想要在前端登录页面上进行身份验证的用户。
What is the best way to secure the three parties involved in this architecture ? 确保参与此架构的三方的最佳方法是什么?
In fact, I believe it is just impossible to do a secure app on the front end if I do everything in javascript, so I intend to delegate the authentication/authorization to a proxy layer on my server front end. 事实上,我相信如果我在javascript中做所有事情,在前端做一个安全的应用程序是不可能的,所以我打算将身份验证/授权委托给我的服务器前端的代理层。 What do you think about that ? 你觉得怎么样?
I intend to use OAuth to secure my REST back end, but I am not sure if I have to use the 2 or 3 legged implementation. 我打算使用OAuth来保护我的REST后端,但我不确定是否必须使用2或3脚的实现。 What is the right approach in this case? 在这种情况下,正确的方法是什么?
UPDATE : while searching a deep more on SO website, i found this thread which is exactly what i would like to do, except i want to use Java on server side and not DotNet. 更新 :在SO网站上深入搜索时,我发现这个线程正是我想做的,除了我想在服务器端使用Java而不是DotNet。 If i understand well, in fact my web site is like any client of my REST API, except it is the only one which has the right to create new users' accounts. 如果我理解得很好,事实上我的网站就像我的REST API的任何客户端,除了它是唯一有权创建新用户帐户的网站。 Because, if my REST API is only accessible by OAuth (like Twitter's one), who can perform the user account creation before ? 因为,如果我的REST API只能由OAuth访问(如Twitter的那个),谁可以在之前执行用户帐户创建? Am i right ? 我对吗 ?
1 个解决方案
解决方案1
3 已采纳 2011-12-18 08:24:34
One major concern with security with this architecture is testing. 这种架构的安全性的一个主要问题是测试。 Automated tools will have trouble testing this system for common vulnerabilities like SQL Injection, Direct Object Reference . 自动化工具无法测试此系统是否存在常见漏洞,如SQL注入, 直接对象引用 。 A useful tool for testing strange architectures is OWASP's open source Zed Attack Proxy or the proprietary BURP proxy. 用于测试奇怪架构的有用工具是OWASP的开源Zed攻击代理或专有的BURP代理。 Testing will be time consuming and requires someone who has a good understanding of web application vulnerabilities. 测试将非常耗时,并且需要对Web应用程序漏洞有深入了解的人员。 We often refer to these people as Pentesters . 我们经常将这些人称为Pentesters 。
A RESTful form of keeping session state is to use an HMAC to protect the values from modification. 保持会话状态的RESTful形式是使用HMAC来保护值不被修改。 However, this is a misuse of cryptography because it opens the door for attack. 然而,这是对密码学的滥用,因为它为攻击打开了大门。 An attacker can brute force the secret key used in your HMAC and then modify values such as his session id or otherwise gain access to another account on the system. 攻击者可以强制使用HMAC中使用的密钥,然后修改其会话ID等值,或以其他方式访问系统上的其他帐户。 Cryptography should only be used when there is no other option. 只有在没有其他选项时才应使用加密。 This vulnerability is prevented entirely by storing session state in a database, which isn't RESTful. 通过将会话状态存储在非RESTful的数据库中,可以完全防止此漏洞。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.