ssl 不可用时 Flex 应用程序的安全性 [英] Security for Flex app when ssl is not available
问题描述
所以我知道最好的做法是在 ssl 上运行我的 Flex 应用程序,同时实现其他形式的安全性,但这在这一点上不是一个选项(出于金钱原因,应用程序根本不需要 那么多安全性,否则我的赞助商会为此付费).但是,我想实现某种形式的安全性,我想知道当我没有 ssl 来保护交易时是否值得.
So I know the best practice would be to run my Flex app over ssl along with implementing other forms of security however that isn't an option at this point (for monetary reasons and the app simply doesn't need that much security otherwise my sponsors would pay for it). However, I would like to implement some form of security and I'm wondering whether it's even worth it when I don't have ssl to protect the transactions.
所以我的设置是我有一个带有 Flex UI 的 ASP.Net 服务器端.现在 UI 是唯一保护对服务器的访问的东西:服务器在每个请求期间不做任何类型的验证,它只是假设这个人被允许这样做.显然,任何人都可以编写程序来生成帖子(即使我可以使用 SSL,它也会像瑞士奶酪一样).就像我之前说的,安全不是什么大问题,这是一个内部应用程序,它并不重要,但是我相信做正确的事情.将用户信息保留在会话中是否是一个可行的选择,然后验证给定用户是否具有权限等.也许是某种令牌系统?
So my setup is that I have a ASP.Net server side with a Flex UI. Right now the UI is the only thing that protects access to the sever: the server doesn't do any sort of verification during each request, it just assumes the person is allowed to do it. Obviously, anybody could write a program to generate posts (even if I could use SSL it would be like swiss cheese). Like I said before, security isn't a big deal, this is an internal app and it's nothing critical, however I do believe in doing things right. Would keeping the user info in session be a viable option and then verifying that the given user has permission, etc. Perhaps some sort of token system?
您首选的保护此设置的方法是什么?
What would your preferred method of protecting this setup be?
...不,我不会给你网址:)
...and no, I won't give you the url :)
推荐答案
ASP.NET Session 本身是基于令牌的安全性,是的,您可以通过执行
ASP.NET Session itself is token based security and yes you can easily implement that by doing
[WebMethod(true)]
是的,任何网络方法都需要先登录,它应该调用 User.IsAuthenticated,以验证会话令牌.
and yes, any web method requires login to be done first, it should call User.IsAuthenticated, that verifies the session token.
可以轻松实现表单认证(让web.config为空,可以在代码中使用FormsAuthentication).
You can easily implement form authentication (let web.config empty, you can use FormsAuthentication in code).
例如
[WebMethod(true)]
public string DoLogin(
string username,
string password)
{
//.. do your verification
FormsAuthentication.SetAuthCookie(username,false);
return "Login Sucessful";
}
[WebMethod(true)]
public string ChangePassword(
string oldPass,
string newPass)
{
// verify user is logged on or not..
if(!User.IsAuthenticated)
return "Please Login";
// The code below is secure, only
// authenticated user will go through below
// change pass...
return "Password Changed Successfully.";
}
我们开发了许多 Flex+ASP.NET 站点,我们做了完全相同的事情,但是我们通常返回一个类,而不是返回字符串",如下所示...
We developed many Flex+ASP.NET sites, we did exactly same thing, but instead of return "string" we usually return a class like following...
public class WSResult<T>{
public bool Successful;
public string Message;
public T Result;
public T[] Results;
}
约定很简单,如果方法成功,则返回 Success = true,根据您是要返回项目数组还是仅返回单个项目,您可以返回结果或结果.如果出现任何错误或未经授权的访问,您可以设置Successful=false 并将Message 设置为详细字符串.按照以下示例.
The convention is simple, if method was successful then you return Success = true, and depending upon whether you want to return an array of items or just single item, you can return either Results or Result. In case if there has been any error or unathorized access you can set Successful=false and set Message as detailed string. As per following example.
[WebMethod(true)]
public WSResult<BusinessUser> DoLogin(
string username,
string password)
{
try{
BusinessUser user = BusinessUser.GetByUsername(username);
if(user==null)
throw new Exception("User not found");
if(user.Password != password)
throw new Exception("Password did not match");
return new WSResult<BusinessUser>{ Result=user };
}catch(Exception ex)
{
// this will even catch any DAL exceptions or any system error as well
// Log Exception... somewhere for tracking...
return new WSResult<BusinessUser>{ Successful=false, Message = ex.Message };
}
}
这篇关于ssl 不可用时 Flex 应用程序的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
