stackoom
  简体   繁体   中英

Best way to secure javascript front end/REST back end architecture web site?

 原文  2011-12-17 16:18:28       java/ javascript/ security/ rest/ architecture

Question

I would like to build the following project:

  • public REST API back end which can be accessed by any authenticated client
  • front end with static files in HTML/CSS/Javascript with Backbone.js jQuery calls to the REST back end

In fact, there are three parties in my architecture : the front end, which is a client of the back end, the back end and the user which wants to authenticate on the front end login page.

What is the best way to secure the three parties involved in this architecture ?

In fact, I believe it is just impossible to do a secure app on the front end if I do everything in javascript, so I intend to delegate the authentication/authorization to a proxy layer on my server front end. What do you think about that ?

I intend to use OAuth to secure my REST back end, but I am not sure if I have to use the 2 or 3 legged implementation. What is the right approach in this case?

UPDATE : while searching a deep more on SO website, i found this thread which is exactly what i would like to do, except i want to use Java on server side and not DotNet. If i understand well, in fact my web site is like any client of my REST API, except it is the only one which has the right to create new users' accounts. Because, if my REST API is only accessible by OAuth (like Twitter's one), who can perform the user account creation before ? Am i right ?

1 answers

solution1
 3 ACCPTED  2011-12-18 08:24:34

One major concern with security with this architecture is testing. Automated tools will have trouble testing this system for common vulnerabilities like SQL Injection, Direct Object Reference . A useful tool for testing strange architectures is OWASP's open source Zed Attack Proxy or the proprietary BURP proxy. Testing will be time consuming and requires someone who has a good understanding of web application vulnerabilities. We often refer to these people as Pentesters .

A RESTful form of keeping session state is to use an HMAC to protect the values from modification. However, this is a misuse of cryptography because it opens the door for attack. An attacker can brute force the secret key used in your HMAC and then modify values such as his session id or otherwise gain access to another account on the system. Cryptography should only be used when there is no other option. This vulnerability is prevented entirely by storing session state in a database, which isn't RESTful.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question In a Spring Web MVC application - how do we break up the architecture into Front-end & Back-end? Do I have the right understanding of the web app architecture? HTML5 front end, Java back end, and JSON binding Back-end architecture: RESTful web service PHP front-end and Java back-end for a web app? connecting back end to front end Website with Front end using JavaScript and back end Java How do Java REST calls relate to the front end of a Web Application? Front-end connection to back-end How to connect Angular front-end to Java Servlet back-end with HTTP and REST? Angular Front-end, Java Back-end best deployment pattern on Docker
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM