c*********e 发帖数: 16335 | 1 比如用户userid=3,拿到token之后,用软件到达web services的url link,把另外一个
用户userid=8的记录给恶意更改了。
这个怎么防止? | x****d 发帖数: 1766 | 2 you are saying you only authenticate but not authorize? just add authorize
to your design.
【在 c*********e 的大作中提到】 : 比如用户userid=3,拿到token之后,用软件到达web services的url link,把另外一个 : 用户userid=8的记录给恶意更改了。 : 这个怎么防止?
| p*****2 发帖数: 21240 | | c*********e 发帖数: 16335 | 4 不是。
如果userid=3给了token,里面有他的role,是最低级别的user,那他能通过controller里
的某个method来POST/PUT他自己的记录;同时,他也可以通过这同一個method来POST/
PUT别人的记录。
【在 x****d 的大作中提到】 : you are saying you only authenticate but not authorize? just add authorize : to your design.
| x****d 发帖数: 1766 | 5 you need to authorize user to change individual records, but your design is
not doing that. Just change your design. your authorization is not strong
enough to meet your requirement. | g*****g 发帖数: 34805 | 6 After authentication, the user principal is available in the session, do a
simple comparison to make sure the user is operating his own data, that's
all.
【在 c*********e 的大作中提到】 : 不是。 : 如果userid=3给了token,里面有他的role,是最低级别的user,那他能通过controller里 : 的某个method来POST/PUT他自己的记录;同时,他也可以通过这同一個method来POST/ : PUT别人的记录。
| c*********e 发帖数: 16335 | 7 make sense.
【在 g*****g 的大作中提到】 : After authentication, the user principal is available in the session, do a : simple comparison to make sure the user is operating his own data, that's : all.
| c*********e 发帖数: 16335 | 8 你的token是随机数,还是有username,role?
【在 g*****g 的大作中提到】 : After authentication, the user principal is available in the session, do a : simple comparison to make sure the user is operating his own data, that's : all.
| g*****g 发帖数: 34805 | 9 After authentication, server side returns a cookie, which contains a unique
token to identify the user, usually a hash value of a random number. You can
also add username as part of the token, but it must have a part that cannot
be guessed. Role usually is not in the token, it has to come from server
side.
You can check spring security to understand how a security framework works.
【在 c*********e 的大作中提到】 : 你的token是随机数,还是有username,role?
| p*****w 发帖数: 429 | 10 可惜你给他解释了。。。
you need to authorize user to change individual records, but your design is
not doing that. Just change your design. your authorization is not strong
enough to meet your requirement.
【在 x****d 的大作中提到】 : you need to authorize user to change individual records, but your design is : not doing that. Just change your design. your authorization is not strong : enough to meet your requirement.
| c*********e 发帖数: 16335 | 11 如果用OAuth的话,resource server和authorization server可以是一個server吗?
用的c#, iis.
unique
can
cannot
【在 g*****g 的大作中提到】 : After authentication, server side returns a cookie, which contains a unique : token to identify the user, usually a hash value of a random number. You can : also add username as part of the token, but it must have a part that cannot : be guessed. Role usually is not in the token, it has to come from server : side. : You can check spring security to understand how a security framework works.
| c*********e 发帖数: 16335 | 12 goodbug,设置OAuth要几天?我的web server,application server在一起,全是用的
iis. 这样行吗?同一個server,发出token,然后接到token,是不是不安全?
unique
can
cannot
【在 g*****g 的大作中提到】 : After authentication, server side returns a cookie, which contains a unique : token to identify the user, usually a hash value of a random number. You can : also add username as part of the token, but it must have a part that cannot : be guessed. Role usually is not in the token, it has to come from server : side. : You can check spring security to understand how a security framework works.
| g*****g 发帖数: 34805 | 13 对OAuth不熟,帮不了你。
【在 c*********e 的大作中提到】 : goodbug,设置OAuth要几天?我的web server,application server在一起,全是用的 : iis. 这样行吗?同一個server,发出token,然后接到token,是不是不安全? : : unique : can : cannot
|
|