安全性Flex应用程序时,SSL不可用 [英] Security for Flex app when ssl is not available
问题描述
所以,我知道最好的做法是与实施其他形式的担保沿运行我的Flex应用程序通过SSL然而,是不是在这一点上的一个选项(货币的原因以及应用程序根本没有的需求的那么多的安全,否则我的赞助商将支付它)。不过,我想实现某种形式的担保,我不知道什么时候我没有SSL来保护交易是否甚至值得。
So I know the best practice would be to run my Flex app over ssl along with implementing other forms of security however that isn't an option at this point (for monetary reasons and the app simply doesn't need that much security otherwise my sponsors would pay for it). However, I would like to implement some form of security and I'm wondering whether it's even worth it when I don't have ssl to protect the transactions.
所以,我的设置是,我有一个Flex UI一个ASP.Net服务器端。眼下UI是保护访问SEVER的唯一的事:服务器没有做任何形式的验证每个请求时,它只是假定人是允许这样做。显然,任何人都可以编写一个程序来生成帖子(即使我可以使用SSL它会像瑞士奶酪)。就像我之前说的,安全不是一个大问题,这是一个内部应用程序,它没什么重要的,但是我相信在做正确的事情。将保持在会话的用户信息是一个可行的选项,然后验证给定用户有权限,等等。也许某种象征系统?
So my setup is that I have a ASP.Net server side with a Flex UI. Right now the UI is the only thing that protects access to the sever: the server doesn't do any sort of verification during each request, it just assumes the person is allowed to do it. Obviously, anybody could write a program to generate posts (even if I could use SSL it would be like swiss cheese). Like I said before, security isn't a big deal, this is an internal app and it's nothing critical, however I do believe in doing things right. Would keeping the user info in session be a viable option and then verifying that the given user has permission, etc. Perhaps some sort of token system?
什么会保护这个设置是你的preferred方法?
What would your preferred method of protecting this setup be?
......不,我不会给你的网址:)
...and no, I won't give you the url :)
推荐答案
ASP.NET会话本身是基于令牌的安全性,是的,你可以很容易地实施边做边
ASP.NET Session itself is token based security and yes you can easily implement that by doing
[WebMethod(true)]
和肯定的,任何Web方法需要登录到做到第一,它应该调用User.IsAuthenticated,用于验证会话令牌。
and yes, any web method requires login to be done first, it should call User.IsAuthenticated, that verifies the session token.
您可以轻松实现形式的认证(让web.config文件空的,你可以在code使用FormsAuthentication)。
You can easily implement form authentication (let web.config empty, you can use FormsAuthentication in code).
例如,
[WebMethod(true)]
public string DoLogin(
string username,
string password)
{
//.. do your verification
FormsAuthentication.SetAuthCookie(username,false);
return "Login Sucessful";
}
[WebMethod(true)]
public string ChangePassword(
string oldPass,
string newPass)
{
// verify user is logged on or not..
if(!User.IsAuthenticated)
return "Please Login";
// The code below is secure, only
// authenticated user will go through below
// change pass...
return "Password Changed Successfully.";
}
我们开发了很多的Flex + ASP.NET网站,我们确实做到了同样的事情,但不是回归串我们通常会返回像下面的类...
We developed many Flex+ASP.NET sites, we did exactly same thing, but instead of return "string" we usually return a class like following...
public class WSResult<T>{
public bool Successful;
public string Message;
public T Result;
public T[] Results;
}
的约定很简单,如果方法成功,那么你返回成功= true并且具体取决于您是否想返回的项目或只是单个项目的数组,你可以返回结果或结果。在情况下,如果出现了任何错误或unathorized访问您可以设置成功=假,并设置信息详见字符串。按照下面的例子。
The convention is simple, if method was successful then you return Success = true, and depending upon whether you want to return an array of items or just single item, you can return either Results or Result. In case if there has been any error or unathorized access you can set Successful=false and set Message as detailed string. As per following example.
[WebMethod(true)]
public WSResult<BusinessUser> DoLogin(
string username,
string password)
{
try{
BusinessUser user = BusinessUser.GetByUsername(username);
if(user==null)
throw new Exception("User not found");
if(user.Password != password)
throw new Exception("Password did not match");
return new WSResult<BusinessUser>{ Result=user };
}catch(Exception ex)
{
// this will even catch any DAL exceptions or any system error as well
// Log Exception... somewhere for tracking...
return new WSResult<BusinessUser>{ Successful=false, Message = ex.Message };
}
}
这篇关于安全性Flex应用程序时,SSL不可用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
