如何实现一个安全(!)认证在angularjs应用系统? [英] How to achieve a Safe (!) authentication system in an angularjs app?
问题描述
我是新与angularjs ...
I'm new with angularjs...
我阅读文档,并完成了教程;我也尝试别的东西我自己,事情开始道理给我。
I read the docs, and completed the tutorial; i also tried something else by myself, and things start to make sense to me.
现在我不知道如何使安全认证系统
最简单的部分:没有code,我将描述我的业务code执行:
The easy part: no code, i will describe operations my code execute:
我有一个经典的方式:用户名和密码的文本输入
I've a classic form: username, and password text input.
用户填写表单,和preSS ENTER键。
The user fills the form, and press ENTER.
一个Ajax请求开始,响应是一个JSON告诉我
像好的,我知道你或我不知道你是谁。
An ajax request starts, and the response is a JSON telling me something like "ok i know you" or "i don't know who you are".
我现在需要的是十个分量访问者的记录状态(或者没有登录),我的应用程序的不同视图之间。
我的互联网,为实现这一目标上阅读,有人设置一个变量($ scope.isLogged = TRUE),别人使用cookies;但JavaScript的变量,Cookie可以使用Firebug,或similiar开发工具轻松编辑。
I read on the internet that, to achieve this objective, someone sets a variable ($scope.isLogged = true), someone else uses cookies; but javascript variables, and cookies can be easily edited using firebug, or similiar development tools.
...最后一个问题:
... and finally the question:
因此,有你一些建议,在angularjs应用,实现了安全认证系统?
推荐答案
您不能授权在angularjs什么,因为用户有执行环境(即浏览器)的完全控制研究。每个检查,情况下,如果 - 任何你能想到的 - 可以被篡改。有迹象表明,使用非对称密钥进行加密的本地存储本地数据有所安全javascript库,但他们不是你正在寻找的,真的。
You cannot authorize anything in angularjs, because the user has full controll of the execution environment (namely, the browser). Each check, case, if - anything you can think of - can be tampered with. There are javascript libraries that use asymmetric keys to perform local encryption to store local data somewhat safely, but they are not what you are looking for, really.
您可以,你应在授权服务器上的事 - 你会做它在普通应用程序的标准方法 - 使用会话;没有什么特别的code是必要的,Ajax调用使用普通会话cookie。应用程序并不需要知道它是否是验证或没有。它只需要检查是怎么想的服务器。
You can, and you should, authorize things on the server - the standard way you would do it in an ordinary application - using session; no special code is necessary, ajax calls use ordinary session cookies. Application does not need to know whether it's authenticated or not. It only needs to check what server thinks.
从你angularjs应用的角度出发,是登录或注销仅仅是为用户的GUI提示。
From the perspective of your angularjs application, being "logged in" or "logged out" is merely a gui hint for the user.
这篇关于如何实现一个安全(!)认证在angularjs应用系统?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
