安全与玩!从外部应用程序 [英] Security with Play! from Outside Application
问题描述
我正在努力用Play编写一个私有REST API!我将通过移动应用程序拨打电话,但我对如何确保安全性感到困惑。
在Play!的文档中使用另一个Blog Engine示例时,我通过他们的验证示例,它处理通过浏览器登录。根据我对Play!的安全模块的理解,它有助于浏览器会话。此外,我看到的每个StackOverflow问题都涉及到网络上的管理模块,并且问题也与会话有关。
我目前对安全性应该如何工作的理解: 是否有可能发出HTTP请求从移动应用程序到我使用Play创建的Web应用程序!框架,同时保持它的安全吗? 我是否正确地接近整个情况? 这是第一个Play!我创建的应用程序,这是我第一次使用Heroku。我不是太远,因为如果它更容易/更有效率/更适合解决这个问题,我会反对切换到别的东西。 编辑:另外,在Play!的YABE教程中,他们似乎以纯文本格式检查密码。从一般观点来看,这不是一个安全问题? 编辑2:我查看了OAuth提供程序信息,它似乎解决这个问题。我唯一的担心是v2.0存在已知的安全漏洞,而v1.0似乎很难实现,因为我需要的只是移动应用程序和web应用程序之间的安全连接。如果我要让每个电话都需要SSL,我可以让每个Play方法只需输入用户名和密码作为参数,并完全忽略OAuth? 使用 OAuth 这样的授权框架可以实现您的移动应用程序向Web应用程序授权的示例。这允许网络应用程序让用户登录,然后向移动应用程序发出访问令牌,以便以该用户的身份发出请求,而无需移动应用程序处理用户密码。 查看Play的OAuth 供应商模块。如果您是Google,则可能会为Play发现OAuth 客户端模块,但这是OAuth的另一端,允许您的网络应用程序针对第三方提供商进行授权。然后,您可以在移动应用中使用OAuth客户端库来处理获取访问令牌。 它甚至可以是OAuth的通用Java库 - 为OAuth播放2.0文档指出,它没有提供OAuth 2.0模块,因为它足够简单甚至需要一个图书馆。然而,有几个Java库可用。 以下是一个项目,其中有人将一些OAuth提供程序与Play结合在一起(引用自此论坛帖子): https://github.com/mashup-fm/playframework-oauthprovider I am working on writing a private REST API with Play! that I will make calls to from a mobile application and I am confused about how to keep it secure. When working through the Yet Another Blog Engine example in Play!'s documentation, I worked through their authentication example, and it deals with logging in through a browser. From what I understand about Play!'s Secure module, it helps with browser sessions. Additionally, every StackOverflow question I have seen has been involved with an administration module on the web and the questions have been pertaining to sessions as well. Does the Play! framework have any built in mechanism to prevent session hijacking? Enforce Https routing for login with play framework My current understanding of how the security should work: Is it possible for me to make an HTTP request from the mobile application to the web application I create using Play! Framework while keeping it secure? Am I approaching the whole situation incorrectly? This is the first Play! app I have created and this is the first time I have used Heroku. I am not too far in that I would be opposed to switching to something else if it were significantly easier/more efficient/better suited to solve this problem. EDIT: Also, in Play!'s YABE tutorial, it seems like they check the password in plain text. Just from a general standpoint, how is that not a security issue? EDIT 2: I have looked over OAuth provider information and it seems to solve the problem. My only apprehension with it is that v2.0 has known security flaws and v1.0 seems complicated to implement for a situation where all I need is a secure connection between a mobile app and a web app. If I were to make every call require SSL, could I make each Play method just take username and password as parameters and disregard OAuth completely? Your example of having a mobile application authorize itself with a web application is achieved with an authorization framework like OAuth. This allows the web app to let the user login then issue an access token to the mobile app for making requests as that user, without the mobile app having to deal with the user's password. Have a look at an OAuth provider module for Play. If you Google, you might find an OAuth client module for Play, but that's for the other side of OAuth, allowing your web app to authorize against a 3rd party provider. You'd then use an OAuth client library in your mobile app to deal with acquiring an access token. It could even be a generic Java libary for OAuth - the Play 2.0 documentation for OAuth states that it hasn't provided an OAuth 2.0 module because it's simple enough not to even need a library. However there are a few Java libraries available. Here's a project where somebody's put together some OAuth provider stuff with Play (referenced from this forum post): https://github.com/mashup-fm/playframework-oauthprovider 这篇关于安全与玩!从外部应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
