移动应用程序和SimpleDB Direct' Access Policy' [英] Mobile app and SimpleDB direct 'Access Policy'
问题描述
我想将SimpleDB用于移动应用程序.我有用户帐户,因此我将拥有一个"TVM",该用户将对用户进行身份验证并返回一个限时令牌,该令牌使移动应用程序可以直接进行SimpleDB调用.
I'd like to use SimpleDB for a mobile app. I have user accounts so I would have a 'TVM' which would authenticate the user and return a time limited token which allowing the mobile app to directly make SimpleDB calls.
但是,我认为,如果应用程序需要能够写入数据库并从数据库中进行选择,则无法安全地执行此操作.恶意用户只需检索令牌并编写自己的SimpleDB调用即可将任何内容写入数据库.
I believe however there is no way to do this securely assuming the app needs to be able to write and select from the database. A malicious user could simply retrieve the token and write their own SimpleDB calls which could write anything to the DB.
确实可以唯一安全地写入SimpleDB的方法是通过我的Web服务器对SimpleDB进行所有调用吗?
Is it true that the only way to securely do writes to SimpleDB is to have all the calls made through my webserver to SimpleDB?
这将是我的访问策略.
{
"Action":["sdb:PutAttributes",
"sdb:Select*"
],
"Effect":"Allow",
"Resource":"arn:aws:sdb:us-east-1:123456789012:domain/mySDBDomain"
},
推荐答案
是的,您需要在某处安装某种网关/代理应用程序,以提供所需的附加级别的验证和安全性.从好的方面来说,它实际上不必花哨.
Yes, you need to have a gateway/proxy application of sorts somewhere to provide the additional level of validation and security that you're looking for. On the bright side it really doesn't have to be anything fancy.
一个小型Web服务器,该服务器以您喜欢的语言编写的代码在微实例上运行(假设您不会产生大量流量),它仅接收来自您的移动应用程序的请求,就执行了一些小规模的验证(即数据的格式与您希望从客户端看到的数据匹配),然后将其作为正确格式的PUT请求发送到您的SimpleDB域.
A small web server with code written in your favorite language running on a micro-instance (assuming you won't get to much traffic) which simply takes requests from your mobile application, performs some small level of validation (i.e that the format of the data matches what you'd expect to see from your clients) and then sends it of as a properly formatted PUT-request to your SimpleDB domain.
这篇关于移动应用程序和SimpleDB Direct' Access Policy'的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
