在我的GAEJ应用程序中谨慎使用https [英] using https sparingly in my GAEJ app

问题描述

我有一个GAEJ应用程序，直到现在还没有处理敏感数据。由于这个原因，它一直很开心地运行在http：//
我正在使用GWT-RPC进行客户端服务器调用。

I have a GAEJ application that until now hasn't had to deal with sensitive data. For that reason it's been happily running under http:// I am using GWT-RPC for my client server calls.

然而，我现在想要开始存储客户姓名和地址，我想开始使用https。

However I now want to start storing customer names and addresses, for which I'd like to start using https.

我明白必须使用 https://www.xxxxx.appspot.com/ 域名。

我的问题是如何创建我的网站的一个小部分，只处理客户端敏感数据，让我的网站的其余部分不变？

My question is how can I create a sub-section of my site that only deals with client-senstive data, leaving the rest of my site untouched?

例如，如果我把以下安全约束在我的web.xml中：

For example if I put the following security constraint in my web.xml :

<security-constraint>
    <web-resource-collection>
          <url-pattern>/xxxxx/admin/*</url-pattern>
      </web-resource-collection>
    <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
 </security-constraint>

然后，我该如何告诉应用程序仅对某些RPC使用https，而不是全部？

换句话说，是否有可能让我的用户仍然使用http：
http://www.xxxxx.appspot.com/
以及何时让RPC发送或接收通过https完成的敏感数据？

how can I then tell the app to use https for only certain RPCs, and not all of them?
In other words, is it possible to leave it so that my users still access my site using http: http://www.xxxxx.appspot.com/ and when they make an RPC sending or receiving sensitive data that is done over https ?

我是否应该使用RequestBuilder将我的GWT-RPC构建为https？但如果我这样做，我该如何绕过浏览器相同的来源策略？

Should I use RequestBuilder to construct my GWT-RPC to be https? but if I do that how do I get round the Browser Same origin policy ?

当然，必须有一种方法来做到这一点，它必定是一个相当普遍的问题？ / p>

Surely there must be a way of doing this, it must be quite a common problem?

推荐答案

AJAX调用的跨域策略不允许您执行RPC https：// blah 当你从 http：// blah

The cross-domain policy for AJAX calls will not allow you to do an RPC to https://blah when you've served the page from http://blah

使用iframe或者像这样的头文件可以解决这个问题：

It's possible to overcome this using an iframe or a header like this:

Access-Control-Allow-Origin: https://www.mysite.com

但我不知道GWT是否可能。

but I don't know if that's possible on GWT.

这篇关于在我的GAEJ应用程序中谨慎使用https的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！