只有让我的客户端访问我的web服务 [英] Only allow my clients to access my webservice
问题描述
我是谁知道一点关于安全开发人员!我有一个Web服务,将数据传送到我的android应用。我想,以确保只有我的应用程序可以访问Web服务并阻止其他人!
I'm a developer who knows little about security! I have a web service that feed data to my android application. I want to make sure only my app can access the web service and block anybody else!
搜索了一下后,我想出了令牌生成算法。我生成我的应用程序令牌,然后在我的服务器我检查,如果它是由我的算法或不创建。问题是,我必须创建要么
After searching a bit i came up with token generation algorithm. I generate a token in my app then in my server i check if it's created by my algorithm or not. The problem is, i have to create tokens that are either
- 可用时间只有
- 到期在较短的时间(如30秒)
但如何?!
我真的不希望存储的令牌,因为我有1M +用户和存储令牌他们让每个请求是不可控!
我也无法把用户设备的时间标记,因为它可能是不正确的!我已经写的工作原理是这样的算法
搜索结果
字符串标记=一些随机字符串+日期和时间+随机字符串和时间的哈希值!
搜索结果
现在,在我的服务器,我可以检查的时候还没有过期,哈希code是正确的。但是,如果一些用户不他们的设备上调整的时间正确,他们会太堵了!
那么什么是我的另类?
I really don't want to store tokens because i have 1M+ users and storing tokens for each request they make is just not manageable!
I also can't put user device time in token since it may not be correct! I already write an algorithm that works like this
String token = "some random string" + "date time" + "hash of random string and time"!
Now in my server i can check if time is not expired yet and hash code is correct. But if some of user don't adjust time on their device correctly they will be blocked too!
So what are my alternative?!
推荐答案
要限制访问的替代方案将是您的Web服务来提供加密的内容,因此,只有您的应用程序(这将持有的解密密钥)可以利用吧。
An alternative to limiting access would be for your webservice to serve up encrypted content, so that only your app (which would hold the decryption key) could make use of it.
这篇关于只有让我的客户端访问我的web服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
