将jwt令牌作为url的一部分传递是不好的吗? [英] is it bad to pass jwt token as part of url?
问题描述
您好,目前我有一个角度应用程序和java后端.在我的角度组件html中,我有一些图像,例如个人资料照片.用spring安全性保护提供图像文件的资源. 所以我的问题是将json网络令牌作为图像URL的一部分添加吗?会导致安全漏洞吗?这是一个坏习惯吗?
Hi currently i have an angular application and java backend. in my angular component html i have some image such as profile photos. the resource that serves the image files is secured with spring security . so my quesiton is it bad to append json web tokens as part of an image url ? can it cause a security breach ? is it a bad practice ?
以下是我在chrome开发人员工具中的角度代码的样子.
the following is how my angular code looks like from the chrome developer tool.
<div _ngcontent-c5="" class="avatar-circle bg-secondary text-brand-secondary" ng-reflect-klass="avatar-circle" ng-reflect-ng-class="bg-secondary,text-brand-second" style="background-image: url("http://localhost:8080/api/files/4eb81fa8-9c5d-4920-b0f5-c9239fb1cae7?access_token=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJnbG9iYWxhZG1pbkBsb2NhbGhvc3QiLCJhdXRoIjoiUk9MRV9HTE9CQUxfQURNSU4iLCJleHAiOjE1NjExOTkwNTh9.UFvdgZNxs_O1uTjtUh64ko3A47R2fxZxYFX0aXv2Jp_TkVrmlBT1mzN40JwclGk3m0sCZONKbnVhgXXKy69DfQ");">
<!--bindings={
"ng-reflect-ng-if": "false"
}-->
</div>
任何帮助,我们感激不尽.我想将access_token作为http get请求标头的一部分传递,但我在任何地方都找不到合适的代码.任何帮助表示赞赏.
any help is appreciated . i would love to pass the access_token as part of the http get request header but i couldnt find a proper code anywhere. any help is appreciated.
推荐答案
根据图像,您可能希望使其公开可用,或者考虑以其他方式将令牌发送到服务器(cookie可能会有所帮助). /p>
Depending on the image, you may want to make it public available or consider a different way to send to token to the server (a cookie may help).
会导致安全漏洞吗?这是不好的做法吗?
正如我的上一个答案所述,JWT令牌的语法.这是来自 RFC 7519 的引用:
As mentioned in my previous answer, JWT tokens are URL-safe when it comes to their syntax. Here is a quote from the RFC 7519:
JWT表示为由句点(
.)字符分隔的一系列URL安全部分.每个部分都包含一个以base64url编码的值. [...]
A JWT is represented as a sequence of URL-safe parts separated by period (
.) characters. Each part contains a base64url-encoded value. [...]
但是,当将JWT用作承载令牌时,建议避免在URL中发送它们.请参见 RFC 6750 的以下引用:
However, when using JWT as bearer tokens, it's advisable to avoid sending them in the URL. See the following quote from the RFC 6750:
不要在页面URL中传递承载令牌:不应在页面URL中传递承载令牌(例如,作为查询字符串参数).
Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters).
相反,承载令牌应该在采取保密措施的HTTP消息头或消息主体中传递.
Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken.
浏览器,Web服务器和其他软件可能无法充分保护浏览器历史记录,Web服务器日志和其他数据结构中的URL.如果在页面URL中传递了承载令牌,则攻击者可能能够从历史数据,日志或其他不安全的位置中窃取令牌.
Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.
这篇关于将jwt令牌作为url的一部分传递是不好的吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
