Worklight在线+离线验证 [英] Worklight Online + Offline Authentication
问题描述
我正在尝试通过Worklight实现以下功能。
I'm trying to achieve the following through Worklight.
- 我的应用程序有两组功能。仅当应用程序连接到服务器并且用户通过身份验证时,才能访问一组功能。另一组功能可以离线访问,但它们需要来自加密JSONStore的数据。
- 我在客户端设备上有一个使用密码初始化的JSONStore。因此,商店中的数据将被加密。此外,此JSONStore通过适配器同步到服务器上的数据库。
- 我还设置了另一个适配器,该适配器使用存储在数据库中的另一组凭据对用户进行身份验证。只有当应用程序在线时才能对用户进行身份验证。
我想要做的是统一这两种方法以便用户无需输入两组凭据即可访问这两组不同的功能。我想到的一个可能的解决方案就是加密JSONStore并在没有用户干预的情况下执行适配器身份验证。但我不认为它是安全的。
What I want to do is to unify these two approaches so that the user needn't enter two sets of credentials to access these two different sets of features. One possible solution that came to my mind is just to encrypt the JSONStore and perform the adapter authentication without the intervention of the user. But I don't think that it's secure.
任何解决此问题的建议或方法?
Any advice or approach to solve this issue?
推荐答案
以下只是一个想法,我不是安全专家。
The following is just an idea, I'm not a security expert.
要求:
- 要使用离线功能,您必须至少在线并经过身份验证一次。
- 您的应用程序必须有登录视图才能输入一些凭据(例如用户名/电子邮件和密码)。
步骤:
- 用户首次输入正确的凭据并成功通过服务器进行身份验证:对凭据进行哈希处理。例如:
var myHash = md5(loginField.getUser()+ loginField.getPassword())。您可以在Github上找到 md5 JavaScript库。 - 使用该哈希初始化商店。例如:
WL.JSONStore.init(...,{password:myHash})。 - 通过 HTTPS 将哈希发送到后端,如果用户更改了他/她的凭据,您将需要它。无需在设备上保存凭据或哈希值(
loginField = null; myHash = null)。或者,您可以在服务器上生成哈希并存储它,而无需客户端将其发回,只需确保客户端和服务器都使用相同的哈希算法。 - 工作时离线时,询问用户他/她的凭据,哈希并使用它来访问商店内的数据。
- 如果用户更改了他/她的凭据(例如通过网络界面为您的应用程序),哈希将是不同的,存储将不会初始化。但是,用户应使用新的/有效凭据成功通过服务器进行身份验证。向服务器询问旧散列,使用旧散列初始化存储,并根据新/有效凭据更改密码以将存储初始化为新散列。例如:
WL.JSONStore.changePassword(oldHash,newHash)。
- First time the user inputs the correct credentials and successfully authenticates with the server: hash the credentials. For example:
var myHash = md5(loginField.getUser() + loginField.getPassword()). You can find md5 JavaScript libraries on Github. - Use that hash to initialize the store. For example:
WL.JSONStore.init(..., {password: myHash}). - Send the hash to the backend over HTTPS, you will need it if the user changes his/her credentials. No need to save the credentials or the hash on the device (
loginField = null; myHash = null). Alternatively, you could just generate the hash on the server and store it, without having the client send it back, just make sure both client and server are using the same hashing algorithm. - When working offline, ask the user for his/her credentials, hash them and use it to access data inside the store.
- If the user changes his/her credentials (e.g. via the web interface for your application), the hash will be different and store won't init. However, the user should've successfully authenticated with the server with the new/valid credentials. Ask the server for the old hash, init the store with the old hash, and change the password to init the store to the new hash based on the new/valid credentials. For example:
WL.JSONStore.changePassword(oldHash, newHash).
可选:您可能需要考虑使用盐 。例如: var salt = Math.random(),myHash = md5(loginField.getUser()+ loginField.getPassword()+ salt)。
Optional: You may want to consider using a salt. For example: var salt = Math.random(), myHash = md5(loginField.getUser() + loginField.getPassword() + salt).
您需要将盐存储在某处,以便在用户返回应用程序后重新生成哈希值。你应该能够启动另一个未加密的商店来坚持它。例如 WL.JSONStore.init(...,{username:'metadata'})。then(function(){/ * add salt to store * /}) 。有关使用两个商店的更多信息此处。
You will need to store the salt somewhere so you can re-generate the hash once the user returns to the application. You should be able to init another unencrypted store to persist it. For example WL.JSONStore.init(..., {username: 'metadata'}).then(function(){/*add salt to store*/}). More information regarding using two stores here.
这篇关于Worklight在线+离线验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
