Web应用程序会话与令牌的安全性 [英] security for web applications session vs token
问题描述
背景:
我正在开发一个Web应用程序,计划使用spring-mvc和spring安全性.我的计划是使用基于表单的身份验证,其中spring安全性对凭据进行身份验证并设置会话JSESSIONID,以便随后的请求将基于请求标头中存在的cookie进行身份验证.
Background:
I am developing a web application, planned to use spring-mvc and spring security. My plan is to use form based authentication where spring security authenticates credentials and sets a session JSESSIONID so that subsequent requests would be authenticated based on the cookie present in request header.
我的理解:
-
Web应用程序请求应具有状态.此状态可以通过使用会话来实现.
Web applications requests should have state. This state can be accomplished by using the session.
基于会话的身份验证很容易受到CSRF攻击.由于spring security提供了CSRF保护,因此使用session + CSRF保护并没有发现任何安全漏洞.
Purely session based authentication are vulnerable to CSRF attacks. As spring security provides CSRF protection, i didn't find any security loop holes using session + CSRF protection.
访问令牌仅用于授予对第三方应用程序公开的API的访问.
access-tokens are only used to give access to APIs which has been exposed for third party applications.
我的问题:
但是,当我在该站点中看到很多问题时,人们正在使用基于令牌(OAuth2/JWT)的Web应用程序身份验证.但是我相信令牌只是用来授予对API的访问权限.
My Question:
But when i see lot of questions in this site, people are using token(OAuth2/JWT) based authentication for web application. But what i believed is tokens are only used to give access to APIs.
但是,当我看到人们在Web应用程序中使用令牌时,我才遇到这个问题.假设基于令牌的Web应用程序不使用会话,但希望每个请求的标头中都包含令牌.
But when i see people using tokens for web applications i just got this question. Assuming token based web applications does not uses session but expects token in the header of every request.
-
何时应该在Web应用程序中进行基于令牌的身份验证.
就安全性而言,哪一种是好的? Session + CSRF或token基于身份验证.
As far as security is concerned, which one is good? Session + CSRF or token based authentication.
我对令牌和会话的用例感到困惑.
I am confused with use cases of token and session.
大多数情况下,取决于您的客户.
例如,对于移动客户端(例如HTTP上的JSON有效负载),没有Session这样的东西.JWT具有工作cross-origin的优势.相比之下,使用Cookies的基于会话的身份验证方法仅适用于相同的(子)域),并且伸缩性不佳.
但是,使Session无效比JWT更容易.由于无论如何您都使用Spring-MVC,并且我认为可伸缩性并不重要,因此只需选择您更喜欢的那一个即可..
结论: 会话仅支持来自相同来源的请求,首选基于令牌的身份验证来认证跨源请求.
Most often, it depends on your clients.
For example, for mobile clients (e.g.JSONpayload overHTTP), there is no such thing as aSession.JWThas the advantage to workcross-origin. In contrast, a Session-based auth method withCookiesworks only for the same (Sub)-domain) and scales not that well.
However, it is easier to invalidate aSessionthan aJWT. Since you anyway useSpring-MVCand i guess scalability is not critical, just go with the one you are more comfortable.
conclusion: Session supports requests only from same origin, token based authentication preferred for authenticating cross origin requests.
推荐答案
通常,它取决于您的客户.例如,对于移动客户端(例如,HTTP上的JSON有效负载),没有Session之类的东西.
Most often, it depends on your clients. For example, for mobile clients (e.g. JSON payload over HTTP), there is no such thing as a Session.
JWT
- JWT具有跨域跨域工作的优势
- 因此,基于JWT的身份验证规模更好
- 在单页面应用程序(SPA)/Web API时代非常流行
- 通过使用签名或MAC来注意完整性保护.不允许不安全的JWT:{"alg":"none"}
会话
- 主要与网络浏览器结合使用
- 更容易使会话无效(删除). JWT只有一个到期日期,并且一直有效,直到到期为止
- 请注意以下Cookie属性:安全; HttpOnly并为跨站点请求伪造攻击提供一些保护:SameSite = Strict或SameSite = Lax
其他方法: 像Keycloak这样的开源身份提供者,例如traefik作为负载均衡器已经非常流行.这带来了一个优势,即新路由可以上线而无需重新启动任何服务.另外,在某些情况下,它可以节省由于API调用率过高而导致的应用程序停机时间.
Other approaches: Open Source Identity Providers like Keycloak with e.g. traefik as load balancer have become quite popular. This brings the advantage, that new routes can go live without restarting any service. Also, in some cases, it saves application downtime caused due to an excessive rate of API calls.
总结: 通往罗马的道路很多.它始终取决于特定的要求,环境和团队的技能.既然您仍然使用Spring MVC,并且我认为可伸缩性并不关键,那么就选择一个您更舒适的产品吧.
To conclude: Many roads lead to Rome. It always depends on the specific requirements, the environment and the skills of the team. Since you anyway use Spring MVC and I guess scalability is not critical, just go with the one you are more comfortable..
这篇关于Web应用程序会话与令牌的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
