简体繁体 English

为Ajax调用实现安全性

[英]Implementing Security for Ajax calls

原文 2013-01-10 11:07:30 5 1 ajax/ security

I am facing difficulty in making my Ajax request secure. 我在确保我的Ajax请求安全方面面临困难。 The problem is Data tampering. 问题是数据篡改。 I have read about this problem and it is suggested that never trust the information what ever is coming from client. 我已经阅读过有关此问题的信息，建议不要信任来自客户端的信息。 It can be very well changed using fiddler or any such tool. 使用提琴手或任何此类工具可以很好地更改它。 We need to validate in server side as well. 我们还需要在服务器端进行验证。 But my question is how to validate. 但是我的问题是如何验证。

Let's see one example. 让我们看一个例子。 Suppose I have Employee information in database and I have exposed one method GetEmployeeDetailByEmployeeId. 假设我在数据库中有Employee信息，并且已经公开了一种方法GetEmployeeDetailByEmployeeId。 Before any employee make this request he will be authenticated with userId and password and authorized whether user of this type are allowed to make this request or not. 在任何员工发出此请求之前，将使用userId和密码进行身份验证，并授权是否允许此类用户发出此请求。

But if one employee gives employeeId of some other employee, he will actually gets the data which he is not supposed to see. 但是，如果一个雇员给另一个雇员的employeeId，他实际上将获得他不应该看到的数据。 To fix this issue we have two solution 1. We should check the request against the database, whether the information requested by the person is meant for him or he is the manager of that guy 2. We should somehow validate in app layer itself whether we should reject the call or not. 要解决此问题，我们有两个解决方案：1.我们应该针对数据库检查请求，此人请求的信息是给他的还是他是那个家伙的经理。2.我们应该以某种方式在应用程序层中验证是否我们是否应拒绝通话。

First approach is performance intensive where I have to make database request and finding the association of record, also it will add cost to development. 第一种方法是性能密集型，我必须提出数据库请求并找到记录的关联，这也会增加开发成本。

Pls suggest which way to go and do we have any better solution to solve this kind of problem. 请提出解决方法，我们有什么更好的解决方案来解决这种问题。

1 个解决方案

Clearly you need to check it at your back-end side, otherwise your application is likely to exploit by a kid. 显然，您需要在后端进行检查，否则您的应用程序很可能会被孩子利用。

Update 更新

you need to implement an authorisation mechanism in your back-end, then after you load the permissions at the beginning, you can add it to the user session, so you don't need to look-up the database each time, you just need to check the user permission against the task required permission. 您需要在后端实现一种授权机制，然后在开始加载权限之后，可以将其添加到用户会话中，因此您不需要每次都查找数据库。对照任务所需的权限检查用户权限。

More 更多

To implement the authentication mechanism: Goal, user can see it's own profile but supervisor can see everyone within his department . 要实现身份验证机制：目标， user可以看到其自己的个人资料，而supervisor可以看到其department内的每个人。

user A has the user_id already loaded at the session, let say user_id = 123 user A在会话中已经加载了user_id ，假设user_id = 123
user A can only request his information so if (user_id == req_user_id) then show the information, otherwise show error. user A只能请求他的信息，因此if (user_id == req_user_id)然后显示该信息，则显示错误。
user B has the permission value of 100 , let's call him supervisor then. user B的允许值为100 ，那么我们称他为supervisor 。 Now if (user_id == req_profile_id) is not true we will check the permission. 现在， if (user_id == req_profile_id)不正确，我们将检查权限。 Let say the task permission for this particular task is 10 so if (user_perm >= task_perm) , go ahead and check the department, if both the requested user and current user are at the same department, then show the information, otherwise show an error. 假设此特定任务的任务许可为10所以if (user_perm >= task_perm) ，请继续检查部门，如果请求的用户和当前用户都在同一部门，则显示信息，否则显示错误。