如何将EC2托管的Shiny应用程序安全地集成到asp.net项目中 [英] How to securely integrate EC2 hosted Shiny app into asp.net project
问题描述
我有两个申请.
- EC 2上托管的R Shiny应用
- Asp.net应用程序托管在Azure上.
asp.net应用程序执行用户身份验证,并用于组织整个数据科学管道.用户提供数据,数据科学家转换数据并交付闪亮的应用程序.最后,用户在asp.net应用程序中打开Shiny应用程序.
The asp.net app preforms user authentication and is used to organize a whole data science pipeline. A user provides data, the data scientist transforms the data and delivers a shiny app. Finally, the user opens the Shiny app within the asp.net application.
我遇到的问题是,我不知道如何安全地集成在asp.net应用程序中开发的Shiny应用程序.
The problem I have is that I don't know how to integrate the Shiny app that I have developed within the asp.net application securely.
我可以解决这样的问题:
I could solve the problem like this:
基本上,我可以创建一个简单的iframe,并带有指向EC2实例的公共域的链接.但是,这是不安全的.任何人都可以通过简单的页面源代码单击来找到并访问该URL.
Basically, I can make a simple iframe with a link to the public domain of the EC2 instance. However, this is not secure. Anybody can find and access the url with a simple page source click.
我考虑的另一个选择是限制EC2安全组中的IP地址.但是,问题在于应该由不同的实体/独立用户使用asp.net应用程序.因此,安全性需要比服务器IP地址更精细(用户是否可以访问应用程序,应用程序内的项目,项目内的容器?).
Another option that I have considered is to limit the IP address in the EC2 security groups. However, the problem is that the asp.net application is supposed to be used by different entities/independent users. So the security needs to be more granular [does the user have access to app, project within app, container within a project?] than just a server IP address.
此外,我还考虑过在实际的Shiny应用程序中提供第二级身份验证,但是,这本质上首先失去了asp.net身份验证的意义.
Also, I have thought to provide a second level of authentication within the actual Shiny app, however this essentially loses the point of the asp.net authentication in the first place.
任何想法或暗示应该朝着哪个方向继续研究?
Any ideas or hints in what direction I should continue with research?
推荐答案
我认为您是对的,有两种选择.首先是在两台服务器之间建立安全连接,并使用.Net应用程序代理流量,但这没有意义.
I think you're right, there are two options. The first is to create a secure connection between the two servers and use the .Net app to proxy the traffic, but that defeats the point.
第二个是对两个服务器的使用进行身份验证.您可以通过让.Net服务器以某种方式将有关活动会话的数据传递到Shiny应用程序以使其同步来完成此操作,但这并不理想.
The second is to authenticate the use with both servers. You could do this by having the .Net server somehow pass data about the active sessions to the Shiny app to synchronise them but that isn't ideal.
您可以改为使用身份验证机制,例如 JWT ,其中.Net服务器将向客户端颁发令牌(例如Cookie或嵌入到iFrame URL中),然后客户端将其传递给令牌到Shiny服务器,后者只需验证令牌即可.如果使用Cookie,则需要确保两个服务器都在同一个子域中,以便正确设置令牌.
You could instead use an authentication mechanism such as JWT where the .Net server would issue the client a token (i.e. cookie or embedded into the iFrame URL) when they log in and the client would then pass this to the token to the Shiny server, which would only have to validate the token. If using cookies you would need to make sure both servers are on the same subdomain so that the token is set properly.
这篇关于如何将EC2托管的Shiny应用程序安全地集成到asp.net项目中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
