通过 Backbone.js 安全访问经过身份验证的 REST 服务器?
我有这个 REST 服务器(由我自己编写),它通过简单的 HTTP 身份验证进行保护。
现在我使用backbone.js 重新编写了应用程序,但我不确定如何对我的客户端进行身份验证。如果我在 JS 中执行此操作,用户/密码将可见。
那么我应该如何修改我的服务器或客户端 JS 以确保安全呢?
以前我只是给了 user &将 PHP 传递给 REST 服务器的每个请求,请指导我,谢谢。
I've had this REST Server (written by myself) that is secured by simple HTTP Authentication.
Now I re-wrote the app using backbone.js and I am unsure how to go about authenticating my client. If i do it in JS user/pass would be visible.
So how should I modify my server or my client side JS to be secure?
Previously I just gave user & pass in PHP for each request to REST Server, please guide me, Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
HTTP 基本身份验证容易受到窃听和中间人攻击。建议使用HTTPS。
但是,如果这不是一个选项,您始终可以将 cookie 发送回客户端,并在其中输入用户名/密码以防止其显示在 JS 文件中。不言而喻,出于安全原因,密码至少应该被加密/散列。然后,服务器端将负责从 cookie 中获取身份验证详细信息。
现在,如果您对修改服务器端代码没有任何控制权,那么除了将凭据详细信息隐藏在将发送用户名的全局
ajaxSend()方法中之外,您几乎别无选择/每个 AJAX 请求的密码详细信息。您可以将其放在其他一些 .js 文件中并使其难以找到,但您几乎受到这种形式的安全性的限制。尽管如此,cookie 并不会让您的生活变得更安全。 (如果密码经过散列/加密,那就太好了)。您可以做的另一件事是采用稍微复杂一点的安全形式:让服务器在每个响应中发送回一个随机数 - 该随机数将由服务器使用服务器的密钥进行“签名”,您可以使用它来“对每个请求在客户端加密用户名/密码。然后,您的服务器必须不断解密凭据。这不太容易出现中间人,但仍然不是万无一失的。
如果 HTTPS 适合您的话,它可以帮助您避免上述所有问题。
希望这有帮助。
更新 (根据评论):
宁静的本质是服务器上没有状态。即,没有会话!因此,您需要在客户端向服务器发出的每个请求中发送用户凭据。如果您有一个登录页面,那么很难真正放松,因为没有称为登录的“资源”。但是,您可以执行以下操作:
每个请求都必须在服务器不维护会话的情况下识别自己 - 这就是无状态(和宁静;)的精神
HTTP Basic authentication is prone to eavesdropping and man-in-the-middle attacks. It's recommended to use HTTPS.
However, if that's not an option you can always send a cookie back to the client and have the username/password entered there to prevent it from being displayed in the JS file. Goes without saying that the password should at least be encrypted/hashed for security reasons. Then, the onus will be on the server side to get the authentication details from the cookie.
Now, if you don't have any control on modifying the server side code, you are pretty much left with no option other than burying the credential details in a global
ajaxSend()method that will send the username/password details with every AJAX request. You could just put this in some other .js file and make it hard to find, but you are pretty much restricted to that form of security. Although, cookies don't make your life any safer. (It'd be good if the password is hashed/encrypted).The other thing you could do is to have a slightly more complicated form of security: Have the server send a nonce back with every response - the nonce would be 'signed' by the server using the server's secret key and you can use that to 'encrypt' the username/password on the client side for every request. Your server would then have to constantly decrypt the credentials. This is less prone to man-in-the-middle but still not foolproof.
HTTPS would save you from each of the above if it's an option for you.
Hope this helps.
UPDATE (as per comment):
The essence of restful-ness is the absence of state on the server. I.e., no sessions! Hence you need to send the user credentials with EVERY request the client makes of the server. If you have a login page then it's very hard to be truly restful since there is no 'resource' called login. However, here's what you can do:
Every request must identify itself without having the server maintain the session - that's the spirit of statelessness (and restful-ness ;)
好吧,我和我的同事进行了讨论,并提出了迄今为止最好的想法:
在客户端(站点)中创建一个简单的控制器并将其命名为 RESTAPI,它将充当实际 REST 服务器的包装器。
当用户登录您的站点时,就会创建他的会话。 RESTAPI 控制器知道您的 HTTP Authed 实际 REST 服务器的凭据,并代表骨干网访问 REST 服务器。
示例:如果我必须获取
从 REST 服务器发送,现在我将在主干集合中点击此 url
RESTAPI 控制器还首先检查请求用户在站点上是否有正确的会话,以及是否允许他获取资源。
因此,不用担心不安全的 cookie 或让 REST 服务器以纯 JS 传递或使用任何其他晦涩的方法:)
Okay I had a discussion with my colleague and came up with the best idea so far:
Make a simple controller in your Client Side (site) and name it as RESTAPI, it will just act as a wrapper to your actual REST Server.
When a user logs into your site, his session get's created. The RESTAPI controller knows credentials to your HTTP Authed actual REST server and it hits REST Server on backbone's behalf.
Example: If I have to fetch
from REST Server, now instead i'll hit this url in backbone collection
The RESTAPI Controller also first checks that the requesting user has a proper session on the site and weather he is allowed to fetch the resource or not.
So no worries about insecure cookies or leaving your REST Server pass in plain JS or using any other obscure method :)
如果您有权访问服务器端 REST 代码,则可以重新设计 REST 身份验证。第一次登录时,您需要通过 https 发布用户名/密码,然后获取一个会话 id,该会话 id 可以在后续请求中使用,并将其作为 cookie 传递。
If you have access to your server side REST code, you can redesign REST authentication. First time, to login you post username/password over https, in turn obtain a session id which can be used in subsequent requests passing it as cookie.