安全地存储凭据以进行重复的Web服务调用
[英]Securely storing credentials for repeat web service calls
问题描述
I'm working on a web application for internal use that is driven by many web service requests to another remote server. 
我正在开发供内部使用的Web应用程序,该应用程序是由对另一个远程服务器的许多Web服务请求驱动的。 The internal site maintains its own session, authenticated by username/password credentials that are themselves backed by the web service(ie we make a remote authentication call to verify the login to the internal site). 内部站点将维护自己的会话,并通过用户名/密码凭据进行身份验证,而用户名/密码凭据本身将由Web服务支持(即,我们进行远程身份验证以验证对内部站点的登录)。 The web service requests also require authentication using these same credentials. Web服务请求还需要使用这些相同的凭据进行身份验证。
We were hoping these web service requests could remain stateless, which means passing the credentials in with every request for authentication. 我们希望这些Web服务请求可以保持无状态,这意味着在每次身份验证请求中都将凭据传递进来。 The problem is remembering the credentials to be used(the ones entered during the initial login) in a way that is secure. 问题在于以安全的方式记住要使用的凭据(在初始登录期间输入的凭据)。 I'm not aware of any truly safe way to store a password for later re-use - hashing it would sacrifice our ability to use it again. 我不知道任何真正安全的方法来存储密码以备后用-对其进行哈希处理会牺牲我们再次使用该密码的能力。 The best we could do would be to encode it in the session scope and hope that no malicious developer will ever try to catch it in a thread dump or something. 我们能做的最好的办法是在会话范围内对其进行编码,并希望没有恶意的开发人员能够尝试将其捕获到线程转储或其他内容中。
Is there a better solution to this that I'm missing? 有没有更好的解决方案,我错过了? Am I being overly paranoid about the risk of storing an encoded password in memory, or is our approach to this project flawed? 我是否对将编码的密码存储在内存中的风险过于偏执,还是我们对这个项目的方法存在缺陷?
2 个解决方案
解决方案1
0 2012-07-20 12:52:13
i would suggest to use token based authetication, a token is passed to the user for cheap user verification on the fly. 我建议使用基于令牌的身份验证,将令牌传递给用户以进行廉价的用户验证。 One implementation of this would be to generate a cookie that is passed to the user for session management. 一种实现是生成一个cookie,该cookie传递给用户以进行会话管理。
i have not used but you should look at oauth may be example 我没有使用过,但您应该看看oauth可能是示例
解决方案2
0 已采纳 2012-08-08 15:33:46
Ultimately our conclusion was that no, storing user credentials on the server that are re-usable in any way is not safe, so we can't do truly stateless re-authentication on each web service request. 最终,我们的结论是,不,将以任何方式可重复使用的用户凭据存储在服务器上并不安全,因此我们无法对每个Web服务请求进行真正的无状态重新认证。 We simply had to compromise and preserve a stateful connection that is initiated and stored during the user's initial login. 我们只需要折衷并保留一个有状态的连接,该状态的连接在用户的初始登录期间启动并存储。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.