将 jwt 令牌作为 url 的一部分传递是不是很糟糕? [英] is it bad to pass jwt token as part of url?
问题描述
您好,目前我有一个 Angular 应用程序和 Java 后端.在我的角度组件 html 中,我有一些图像,例如个人资料照片.提供图像文件的资源由 spring security 保护.所以我的问题是将 json Web 令牌作为图像 url 的一部分附加是不是很糟糕?它会导致安全漏洞吗?这是一种不好的做法吗?
Hi currently i have an angular application and java backend. in my angular component html i have some image such as profile photos. the resource that serves the image files is secured with spring security . so my quesiton is it bad to append json web tokens as part of an image url ? can it cause a security breach ? is it a bad practice ?
以下是我的 Angular 代码在 chrome 开发者工具中的样子.
the following is how my angular code looks like from the chrome developer tool.
<div _ngcontent-c5="" class="avatar-circle bg-secondary text-brand-secondary" ng-reflect-klass="avatar-circle" ng-reflect-ng-class="bg-secondary,text-brand-second" style="background-image: url("http://localhost:8080/api/files/4eb81fa8-9c5d-4920-b0f5-c9239fb1cae7?access_token=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJnbG9iYWxhZG1pbkBsb2NhbGhvc3QiLCJhdXRoIjoiUk9MRV9HTE9CQUxfQURNSU4iLCJleHAiOjE1NjExOTkwNTh9.UFvdgZNxs_O1uTjtUh64ko3A47R2fxZxYFX0aXv2Jp_TkVrmlBT1mzN40JwclGk3m0sCZONKbnVhgXXKy69DfQ");">
<!--bindings={
"ng-reflect-ng-if": "false"
}-->
</div>
感谢任何帮助.我很想将 access_token 作为 http get 请求标头的一部分传递,但我无法在任何地方找到合适的代码.任何帮助表示赞赏.
any help is appreciated . i would love to pass the access_token as part of the http get request header but i couldnt find a proper code anywhere. any help is appreciated.
推荐答案
根据图像的不同,您可能希望将其公开或考虑使用不同的方式将令牌发送到服务器(cookie 可能会有所帮助).
Depending on the image, you may want to make it public available or consider a different way to send to token to the server (a cookie may help).
它会导致安全漏洞吗?这是一种不好的做法吗?
正如我的上一个答案中所述,JWT 令牌的语法是 URL 安全的/em>.这是来自 RFC 7519 的引用:
As mentioned in my previous answer, JWT tokens are URL-safe when it comes to their syntax. Here is a quote from the RFC 7519:
JWT 表示为由句点 (.) 字符分隔的 URL 安全部分序列.每个部分都包含一个 base64url 编码的值.[...]
A JWT is represented as a sequence of URL-safe parts separated by period (
.) characters. Each part contains a base64url-encoded value. [...]
但是,当使用 JWT 作为不记名令牌时,建议避免在 URL 中发送它们.请参阅 RFC 6750 中的以下引用:
However, when using JWT as bearer tokens, it's advisable to avoid sending them in the URL. See the following quote from the RFC 6750:
不要在页面 URL 中传递不记名令牌:不应该在页面 URL 中传递不记名令牌(例如,作为查询字符串参数).
Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters).
相反,不记名令牌应该在已采取保密措施的 HTTP 消息头或消息体中传递.
Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken.
浏览器、网络服务器和其他软件可能无法充分保护浏览器历史记录、网络服务器日志和其他数据结构中的 URL.如果不记名令牌在页面 URL 中传递,攻击者可能能够从历史数据、日志或其他不安全的位置窃取它们.
Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.
这篇关于将 jwt 令牌作为 url 的一部分传递是不是很糟糕?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
