有没有办法检查来自我的分布式客户端对我的 Web 应用程序 API 的调用?
有没有办法检查来自我的分布式客户端对我的 Web 应用程序 API 的调用???
也就是说,如果我同时拥有一个胖客户端(例如 Windows 窗体客户端)和公开 HTTPS 接口的服务器端 Web 应用程序(假设用户将用户名/密码放入客户端配置中进行身份验证),是否有一种方法可以确保 Web 应用程序接口仅由我的客户使用?也就是说,防止用户“玩弄系统”并开发自己的脚本/应用程序来使用 API(因此可能会滥用该服务)。
如果我以某种方式将私钥埋入 WinForms 客户端,以便它可以对有效负载进行签名,那么这意味着它可以被用户反编译???只是想知道是否可以解决这个问题......
谢谢
Is there a way to check with calls into my web-application API came from my distributed client???
That is if I have both a thick client (windows forms client say) and the server side web application that exposes a HTTPS interface (assume user puts username/passwork into the client configuration for authentication), is there a way to ensure the web application interface is ONLY used by my client? That is, prevent uses 'playing the system' and developing their own scripts/apps to use the API (and hence potentially misuse the service).
If I bury an private key into the WinForms client somehow so it can sign the payloads, the implication would be it could be decompiled by a user??? Just be curious to know if it is possible to solve this one....
thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以让“玩弄系统”变得更加困难,但您无法在客户的计算机上隐藏任何秘密。
一旦代码“坏人”能够直接访问进行 Web 服务调用的程序,他就能够对其进行反汇编,或通过其他方式对其进行逆向工程,以获取如何进行经过身份验证的调用的秘密到服务。
You can make it harder to "play the system", but you cannot hide any secrets on your client's computer.
As soon as the code is the "bad guy" has direct access to the program that makes the web service calls, he will be able to disassemble it, or by other means reverse engineer it, to obtain the secret of how to make authenticated calls to the service.