stackoom
  简体   繁体   中英

How to authenticate NSConnection requests?

 原文  2019-07-02 01:45:48       macos/ distributed-objects/ nsconnection

Question

(Let's ignore the fact that NSConnection is now deprecated.)

I have a tool that accepts connections to NSConnection over a service port. I have an application that launches the tool and then connects to it. That part works.

Now, I like to make sure that only my particular app can talk to the tool and that the tool rejects connections from any other tool/app.

How do I best accomplish this?

One idea I had:

Since the app starts the tool, it could pass a "secret" to the tool as an argument, and then I pass the same secret to the tool whenever I invoke one of its functions as an NSDistributedObject. However, that would mean I have to pass that extra argument to every call I make, and I think that's unnecessary overhead.

I would think that I could accept or reject the connection right when the app opens the connection to the tool, ie only once. There is the NSConnectionDelegate , and I suspect that I'd have to implement the authentication check in its authenticateComponents:withData: handler, but I cannot find any examples that would explain how to do that. I mean, is there any data in that connection attempt that would identify the app that's requesting the connection, such as its PID, for instance?

1 answers

solution1
 1 ACCPTED  2019-07-02 02:16:11

Do you establish a connection for every call? I wouldn't think so but, if not, why do you think you'd have to pass the secret for every call? It's pretty common for the server to have a check-in method that clients have to call. You could validate the secret in that check-in method.

A malicious client might try to just skip the check-in method. You can use the -connection:handleRequest: method of NSConnectionDelegate to force them to call the check-in method. Keep a flag for every connection indicating if you've seen the check-in method. If you have, that method can just return NO . If you haven't, then examine the NSDistantObjectRequest 's invocation 's selector . If it's the check-in method, set your flag and return NO . If it's not, then terminate the connection.

I know the underlying ports (Mach or socket) have mechanisms for authenticating peers, but I don't see a way to get at that with the abstractions of NSConnection laid over them.

Finally, you are apparently wedded to NSConnection but this is exactly the sort of thing that the NSXPCConnection API is for. Among other things, it will ensure that the service is only visible to the parent app.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question NSConnection - how to properly do “unvending” of an object? NSConnection between an OSX app and a command line tool How to authenticate a gRPC call for the Assistant SDK? Mac App Store, what DRM exists and how to authenticate purchases? How to authenticate internal corporate proxy with credentials in order to reach external API How to authenticate OS X app user against Active Directory? How to send ARP requests in C++ How can I make a process with standard-user privileges to authenticate a user entered system credentials on MacOS 10.9? How to do "You'll need to authenticate with a valid app password." when cloning Bitbucket repo? How to install requests module with pip? Is pip properly installed?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM