我有一个有说明的高级API, 例如@consumes( MediaType.Json) 。 如果是这样的话, CSRF 袭击是否仍然可能针对这样的服务? 我用服务器上的 CSRFGuard 或客户方的双向提交来修补我的服务。 但是当我试图使用文件FORM 和 inctype= “ text/plain ” 来请求POST时, 它没有起作用 。 该技术被解释为 < a href=" http://appsandsecurity. co. uk/2012/01/ stateless- crf- protection. html#comment-form" rel= “ noreferr" >这里 a > 如果我有MemediaType.Application_FORM_URLENCODED 在我的消费注释中, 内容谈判是有用的。 当我使用 POST/ PUT/ PUT/DETE verbs时, 但仍然可以查阅 。
任何建议或投入都将是巨大的,如果需要更多信息,也请通知我。
干杯 干杯
JAX-RS is designed to create REST API which is supposed to be stateless. The Cross Site Request Forgery is NOT a problem with stateless applications.
跨站点请求伪造的方式是有人可能会骗你点击链接或在浏览器中打开链接,该链接将引导你到登录的站点,例如一些在线论坛。既然您已经登录在该站点上,攻击者可以制造一个URL, 说这样的话: 一些论坛. com/ delettethread? id=23454
该论坛程序设计不当, 将会根据会话曲奇来识别您, 并确认您有能力删除线条, 实际上会删除线条 。
因为程序根据会话曲奇(甚至基于“记得我”曲奇) 来认证你
没有饼干, 请求之间也没有固定状态, 因此没有必要保护人们避免会议被劫持。
您通常使用 RESTFul API 认证的方式是发送一些额外的信头。 如果有人欺骗您点击一个表示休息的 API 的 URL, 浏览器将不会发送额外的信头, 因此没有风险 。
简言之,如果STEST API是按其原意设计为无国籍者,那么就不存在跨场伪造的风险,也没有必要保护CSRF。
添加另一个答案, 作为 Dmitri 的答案混合服务器端状态和 cookie 。
如果您的服务器在多个请求的内存中存储用户信息, 应用程序不是无国籍的。 这会降低水平缩放性, 因为您需要为每个请求查找“ 更正” 服务器 。
Cookies are just a special kind of HTTP header. They are often used to identify a users session but not every cookie means server side state. The server could also use the information from the cookie without starting a session. On the other hand using other HTTP headers does not necessarily mean that your application is automatically stateless. If you store user data in your server’s memory it’s not. The difference between cookies and other headers is the way they are handled by the browser. Most important for us is that the browser will resend them on every subsequent request. This is problematic if someone tricks a user to make a request he doesn’t want to make.
这对消费JSON的API来说是一个问题吗?
enctype=text/plain: Url encoded content is not a problem because the result can’t be valid JSON. text/plain is a problem if your server interprets the content not as plain text but as JSON. If your resource is annotated with @Consumes(MediaType.JSON) you should not have a problem because it won’t accept text/plain and should return a status 415. (Note that JSON may become a valid enctype one day and this won’t be valid any more).Access-Control-Allow-Origin: *.I m trying to populate a Dojo grid with data from an ASP.Net web service. There is going to be a lot of rows, so I want to implement paging on the server side, so the web service will accept ...
I am trying to research error handling paradigms in web service client apps. I haven t found any good results on Google - perhaps I m not searching using the right terminology. I will describe my ...
I am having issues with one of our web-services. It works fine on my development machine (win XP) whether I host it as a separate application or using cassini from Visual studio. Once I deploy on the ...
I was asked a question in interview can there be 2 webmethods with same name inside a web service in c#. With function overloading it is possible but interviewer wanted an answer without using ...
I am using a web service which sets the Thread.CurrentPrincipal object while logging in and soon later when another webmethod of the same web service accesses Thread.CurrentPrincipal, its different/...
I am registering some wrapers over un-managed objects in container. How can I dispose of them at the end of the container s lifetime? Please bear in mind I have an XML Web service.
I have a sharepoint site, and I am calling a standard sharepoint web service. I create the web service request like this : wsDws.Url = this.SiteAddress + @"/_vti_bin/Dws.asmx"; When I use ...
I have as asp.net webserver that I hosted and I went to my mobile application I am building and made a web reference to it. So it finds it and stuff and now I can access the web methods because of ...