如何建立一个安全的无状态的认证系统的客户端应用程序镖 [英] How to build a secure stateless authentication system for a client-side dart application
问题描述
我建立一个无状态的认证系统,为飞镖前端和发现,这是相当棘手建立一个无状态的认证系统实际上是安全的。
i'm building a stateless authentication system for a Dart frontend and have discovered that it's quite tricky to build a stateless authentication system that's actually secure.
该堆栈如下:飞镖应用程序中使用杰克逊来回JSON和Java对象之间的转换,做JSON POST到一个Spring MVC的后端。一切都将在后面SSL时投产。
The stack is as follow: Dart application that does JSON POSTs to a Spring MVC backend using Jackson to convert back and forth between JSON and Java objects. Everything will be behind SSL when it goes into production.
情景1:用户登录时,我一直在Java端的会话 - 这不是无状态的,当负载均衡后端会产生问题。
Scenario 1: User logs in, I keep a session on the Java side - this is not stateless and will cause problems when load balancing the backend.
方案2:击中后登录按钮,后由达特做验证控制器,验证凭据,并传回一个令牌(这可能是一串连接在一起的UUID)。令牌回来给前端 - 此令牌的用户名组合届时将有与每个请求一起传递。 DoubleClick应用程序现在需要在一些地方保存此令牌,因为飞镖应用程序编译成JavaScript,饼干似乎不是一个选项(JavaScript不能访问饼干?)。 HTML5 localStorage的浮现在脑海,但是从我读过,这是pretty容易劫持该令牌,如果任何形式的XSS漏洞是可用的(我猜浏览器插件和工具栏的JavaScript注入到页面还可以访问此令牌)。
Scenario 2: Upon hitting the login button, a POST is done by Dart to the Authentication controller which verifies the credentials and passes back a token (which could be a bunch of UUIDs concatenated together). The token comes back to the frontend - This token combined with the username will then have to be passed along with each request. The dart application now needs to store this token somewhere, since a Dart application compiles to JavaScript, cookies seems to be not an option (JavaScript can't access cookies ?). HTML5 localstorage comes to mind, but from what I've read, it's pretty easy to hijack that token if any form of XSS vulnerability is available (and I'm guessing browser plugins and toolbars that inject JavaScript into the page can also access this token).
场景3:就像在方案2中,我被传递回从Spring MVC后端令牌,但不是将其存储在HTML5本地存储,我一直在一个JavaScript变量,如果打开一个新窗口,通过它。
同样的问题也适用于这里,因为它是一个javascript变量中,任何种类的XSS漏洞或浏览器插件可以捉住该令牌并劫持了会议。
Scenario 3: Just like in scenario 2, I get passed back a token from the Spring MVC backend, but instead of storing it in HTML5 localstorage, I keep in a JavaScript variable and pass it on if a new window is opened. The same problem applies here, since it's inside a javascript variable, any kind of XSS vulnerability or browser plugin can nab that token and hijack the session.
所以这似乎是一个无状态的会话,HTML5的localStorage是最方便的,但它并不安全。有没有一种办法,以确保它还是有另一种方式,让我在浏览器中无状态的认证?
So it seems for a stateless "session", HTML5 localstorage is the most convenient, but it's not secure. Is there a way to secure it or is there an alternative way that will allow me stateless authentication in the browser?
推荐答案
我有哪些建议使用cookie的HttpOnly和安全标志被他们设置信息安全一个相当不错的答案:
I got a fairly decent answer on Information Security which suggests using cookies with HttpOnly and Secure flags being set on them:
<一个href=\"http://security.stackexchange.com/questions/84860/how-to-build-a-secure-stateless-authentication-system-for-a-client-side-javascri/84861#84861\">http://security.stackexchange.com/questions/84860/how-to-build-a-secure-stateless-authentication-system-for-a-client-side-javascri/84861#84861
我不得不切换到servlet3允许设置的HttpOnly标志:
I had to switch to servlet3 to allow setting HttpOnly flag:
<一个href=\"http://stackoverflow.com/questions/29406002/set-http-only-on-cookies-created-in-spring-mvc-controller/29406129\">Set HTTP-仅在创建的cookie的Spring MVC控制器
在达特身边,我只好从BrowserClient切换,因为它不允许跨域的cookie:
On the Dart side, I had to switch from BrowserClient as it doesn't allow cross-domain cookies:
<一个href=\"http://stackoverflow.com/questions/29427203/dart-browserclient-post-not-including-my-cookies\">Dart BrowserClient POST不包括我的饼干
这篇关于如何建立一个安全的无状态的认证系统的客户端应用程序镖的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
