移动应用程序基于 Web 或 SOAP 的集成
我正在寻找企业移动应用程序架构的一些输入。它适用于拥有数百个现有的基于 SOAP 的 Web 服务的大型组织,供基于 Web 的应用程序使用。我们使用服务帐户进行应用程序到 Web 服务的身份验证和授权(应用程序 N 具有特定的用户名和密码与 Web 服务 N 进行通信)。这些应用程序托管在 Android 市场和 iTunes(iPad 和 Android 应用程序)中。我们还需要为这些移动应用程序提供基于 SAML 的 SSO(目前不支持 OAuth)。
我提出了一种基于 Web 的集成方法,用于使用这些应用程序中的这些 Web 服务以及代理服务器来拦截来自移动应用程序的这些请求。因此,流程是:
- 移动应用程序使用 HTTP 和 JSON 与代理服务器进行通信。所有 SAML SSO 工作流程均由移动应用程序、服务提供商(代理服务器)和身份提供商服务器处理。
- 代理服务器使用服务帐户与 Web 服务进行通信,并将请求和响应编组和解组为 JSON。
这种方法的优点是:
- 由于基于 Web 的方法而进行跨平台移动应用程序开发,如下所示: 在跨平台方面已经做了哪些工作平台移动开发?
- 由于 HTTP 协议(而不是 SOAP),基于 SAML 的安全集成更容易。
我还看到该项目的 SOAP 存在以下问题:
- 在 SOAP 请求中使用 SAML 身份验证的一些技巧?
- 由于 Web 服务身份验证是使用服务帐户完成的,因此您需要在移动应用程序的代码中嵌入 Web 服务的密码,我将其视为安全问题与移动应用程序
- 的 JSON 相比,编组和取消编组 SOAP 请求和响应的成本较高设备。
- 由于我们需要在设备中嵌入秘密(密码)才能与网络服务通信,这是一个安全问题。 http://www .performantdesign.com/2009/09/03/facebook-iphone-session-proxy-in-php-fbsession-getsessionproxy/ 所以这个应用程序服务器充当会话代理。
这有道理吗?这种方法有什么缺陷吗?
预先非常感谢
I am looking for some inputs for an enterprise mobile application architecture. It is a for large organization with with hundreds of existing SOAP based web-services for consumption by web based application. We use service accounts for application to web-service authentication and authorization (Application-N with a specific username and password to communicate with web-service-N). These apps are hosted at Android market and iTunes (iPad and Android apps). We also have a need of SAML based SSO for these mobile apps (OAuth is not entertained at the moment).
I am proposing a web-based integration approach for consumption of these web-services from these apps along with a proxy server to intercept these requests from mobile apps. So, the flow would be:
- Mobile app communicates with proxy server using HTTP and JSON.All the SAML SSO workflow is handled by mobile app, service provider which is proxy server and identity provider server.
- Proxy server communicates with web-services using service account and marshalls and unmarshalls the requests and responses to JSON.
The advantage with this approach is:
- Cross platform mobile application development due web-based approach as pointed by:
What work has been done on cross-platform mobile development? - Easier SAML based security integration due to HTTP protocol as opposed to SOAP.
I also see the following issues with SOAP for this project:
- Some hack to use the SAML authentication within SOAP request?
- Since web-service authentication is done using service accounts, so you need to embed password for the web-service with mobile application's code, which I see it as security issues
- Marshalling and un-marshalling SOAP requests and response is expensive compared to JSON for mobile device.
- Since we need to embed the secret(password) in device to communicate with web-service, which is a security issue. http://www.performantdesign.com/2009/09/03/facebook-iphone-session-proxy-in-php-fbsession-getsessionproxy/ So this app-server acts as session proxy.
Is this makes sense? Any flaws with this approach?
Many thanks in advance
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
实际上,您选择的协议不会影响开发人员要实现的漏洞或设计缺陷的数量。您可以使用任何技术构建非常安全的 API。
SOAP 的真正优势在于 WSDL 文件可用于针对服务构建自动化安全测试。因此,当开发人员犯错误时,您可以检测到。在发布新版本的 API 之前,请确保使用 WSFuzzer。
SOAP 还具有内置于协议中的加密和身份验证等功能,因此您无需重新设计。
In all reality the protocol that you choose isn't going to affect the number of vulnerabilities or design flaws a developer is going to implement. You can build a very secure API using any technolgoy.
The real strength of SOAP is that the WSDL file can be used to build automated security tests against the service. So when the developer makes a mistake, you can detect it. Before you release a new version of the API make sure test the code with something like WSFuzzer.
SOAP also has features such as encryption and authentication built into the protocol so you don't have to reinvent the wheal.