如何最好地保护肥皂服务的访问
我正在构建一个交互式 JavaScript 应用程序,需要向第三方服务器发出一些 SOAP 请求。问题是服务器只接受基本的 WS-Security 身份验证,即纯文本用户名和密码。最简单的解决方案是将用户名和密码硬编码到Javascript中,然后进行ajax调用,但显然从安全角度来看这很糟糕(有人可以轻松查看页面源代码)
我能想到的解决这个问题的唯一方法是有一个第二个服务器,其中存储 SOAP 用户名和密码,例如在 PHP 文件中。然后,Javascript 应用程序可以向服务器发出 ajax 调用,然后服务器运行逻辑并向 SOAP 服务器进行身份验证。有人仍然可以在我的页面之外对服务器进行ajax调用,但至少他们无法获取用户名和密码
我认为必须有更好的解决方案,但我想不出其他任何东西还有其他想法吗?谢谢
I'm building an interactive javascript application that needs to make some SOAP requests to a 3rd party server. The problem is the server only accepts basic WS-Security authentication, i.e. plaintext username and password. The simplest solution is to hardcode the username and password into the Javascript then make ajax calls, but obviously that is terrible from a security standpoint (someone can easily view the page source)
The only way I can think of to overcome this is to have a second server where the SOAP username and password is stored, say in a PHP file. Then the Javascript application can make a ajax call to the server, then the server runs the logic and authenticates with the SOAP server. Someone could still make ajax calls to the server outside of my page, but at least they couldn't get at the username and password
I'm thinkng there has to be a better solution, but I can't think of anything else, anyone have any other ideas? Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我认为最好的解决方案是在服务器端做逻辑,如果可以的话,尝试使用ssl。然后,您可以对文件进行 ajax 调用,该文件在您提供 HTML/Javascript 代码的同一服务器中执行逻辑。
I think that the best solution is to do the logic in the server side, and if you can, try to use ssl. then you make the ajax calls to the file that does the logic in the same server were you are serving the HTML/Javascript code.