Dojo Web 应用程序身份验证
我正在尝试使用 Dojo 开发一个纯 javascript Web 应用程序。我面临的问题之一是限制对应用程序某些部分的访问。经过身份验证的用户应该能够访问所有内容,而未经身份验证的用户应该只能访问登录屏幕。
问题是,没有什么(据我所知)可以阻止用户打开浏览器 JavaScript 终端并输入类似以下内容: app.displayRestrictedContent(); ,从而访问旨在用于经过身份验证的用户。
我已经实现了基于ajax的登录;所有 ajax 调用都通过会话进行保护。因此,虽然未经身份验证的用户可以加载受限屏幕,但他们将无法为其获取数据。但是,随意访问该屏幕似乎是错误的。
我正在尝试做不可能的事情吗?当它如此容易被绕过时,编写诸如 if (user.auth) app.displayRestrictedContent(); 这样的代码似乎很愚蠢。这让我相信我错过了一些对其他人来说相当明显的东西。我根本找不到太多关于纯基于 javascript 的应用程序和身份验证模型的信息。
I am attempting to develop a pure javascript web application using Dojo. The problem I face is one of restricting access to portions of the application. Authenticated users should be able to access everything, whereas non authenticated users should only be able to access a login screen.
The issue is that nothing (that I am aware of) will stop a user from opening up a browser javascript terminal and entering something like: app.displayRestrictedContent(); and thus gaining access to a screen intended for authenticated users.
I have implemented an ajax based login; all ajax calls are secured with a session. So while the non-authenticated user can load a restricted screen, they wont be able to fetch data for it. But still, It seems wrong for this screen to be arbitrarily accessible.
Am I trying to do the impossible? It seems silly to write code such as if (user.auth) app.displayRestrictedContent(); when it's so easily circumvented. And this leads me to believe I am missing something rather obvious to everybody else. I can't find much information at all on pure javascript based apps and authentication models.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
因为它是客户端代码。你用 js 编写的任何东西,或者编译成 js 的东西,都希望它能够被用户读取。
您可以在用户验证后动态加载js模块。所以一开始只加载1个登录模块。当用户登录时,如果成功,服务器返回要加载的js模块列表,如果不成功,则返回空列表。它还有助于缩短用户访问您网站时的加载时间。
Because it's client-side code. Anything you write in js, or get compiled to js, expect it to be readable by the users.
you can dynamically load js modules after the user authenticates. So at first, just load 1 login module. When the user logins, if successful, the server return a list of js modules to load, if not, return empty list. It also helps improve load time when the users come to your website.
我绝不是专家,但以下是我对此的一些想法。我不认为你错过了任何东西(如果是这样,我也错过了) - 我认为这是所有客户端应用程序的一个非常基本的问题,无论它是编译的可执行文件还是 JavaScript。
当然,编译后的可执行文件并没有受到它的特别阻碍,因为它被制作成机器代码,很难读取或反编译成任何有用的东西。然而,使用 Javascript,应用程序通常会完全按照您编写的方式提供服务,因此很容易修改和推理。
这让我想到了第一个半解决方案:混淆你的 Javascript。如果您将 Dojo 的构建工具与 Shrinksafe 参数一起使用,所有不必要的空格都会被删除,所有标识符都会被缩短,从而使代码非常难以阅读。我称这是一个半解决方案,有些人可能会说,即使这样也太过于信任了——我自己仍然认为这是值得做的。毕竟,缩小后的代码下载速度也更快!
我在应用程序中采取的第二个措施是将不同的部分分成“构建层”。例如,在我的构建配置文件中,我将具有类似
Now 的内容,而不是将构建的 JS 文件直接作为静态文件提供,而是让请求通过服务器端应用程序中的控制器,该控制器检查 JS 层是否需要身份验证以及用户是否以必要的访问权限登录。
这确实有一定的缺点。 JS 文件不会被缓存,如果我将所有 JS 放在一个构建层中,应用程序的加载速度可能会稍快一些。当然,制作图层的细微差别也是有限度的。更多层意味着更多麻烦,但也意味着更细粒度的模块访问。
我也有兴趣听到其他人对此发表意见。这是一个好问题。
I'm by no means an expert, but here are some thoughts I've made on this. I don't think you've missed anything (if so, I have too) - I think this is a pretty fundamental issue with all client applications, whether it's a compiled executable or a Javascript.
Of course, the compiled executable is not particularly hampered by it, because it's been made into machine code which is very difficult to read or decompile into anything useful. With Javascript however, the application is often served exactly as you wrote it, and so it's easy to modify and reason about.
That brings me to the first semi-solution: obfuscating your Javascript. If you use Dojo's build tool with the shrinksafe parameter, all unnecessary whitespace is removed and all identifiers are shortened, making the code quite difficult to read. I called this a semi-solution, some may say even that is giving it too much credit - I myself still think it's worth doing. After all, the shrunk code downloads faster too!
The second measure I take in my apps is to separate the different parts into "build layers". For example, in my build profile, I'll have something like
Now, instead of serving the built JS files directly as static files, I let the requests go through a controller in my server-side application, which checks if the JS layer requires authentication and whether or not the user is logged in with the necessary access.
This does have certain cons. The JS files aren't cached, and if I had all my JS in one build layer, the application would probably load slightly faster. There's of course also a limit to how nuanced it's worthwhile to make the layers. More layers mean more hassle, but also more finely grained module access.
I'd be interested to hear others chime in on this as well. It's a good question.
当用户成功登录时,服务器应向他提供会话令牌。之后,每当用户请求资源时(无论是通过重定向浏览器还是通过 AJAX),他都会向服务器显示他的会话令牌(通过将其存储在 cookie 中并在所有请求中自动发送它,或者通过在正文中显式传递它) AJAX 请求)
然后,服务器可以使用用户的会话令牌来控制服务器端的授权,拒绝任何具有无效或过时令牌的请求。
https://en.wikipedia.org/wiki/HTTP_cookie#Session_management
When a user successfully logins the server should provide him with a session token. The Afterwards, whenever the user requests a resource (either via just redirecting the browser or via AJAX) he shows the server his session token (either by storing it in a cookie and sending it automatically on all requests or by explicitely passing it in the body of an AJAX request)
The server can then use session tokens from the users to control authorizations server-side, rejecting any request with an invalid or outdated token.
https://en.wikipedia.org/wiki/HTTP_cookie#Session_management