Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
321 views
in Technique[技术] by (71.8m points)

javascript - Securing a remote ajax method call

I have coded some JavaScript to perform an ajax call in an asp.net application. This triggers a method that calls a URL, sending some parameters in the POST.

The receiving page processes the data and updates our database.

We will be providing this code to customers to allow them to send us the data we need in their checkout process for each transaction.

Can anyone tell me if there is a way to prevent unauthorized access to this URL? Otherwise an unscrupulous developer could use this URL to add data to our database when they shouldn't be.

Thanks for any pointers.


The issue here is that I will be providing the code to our customers and they will be adding it to their website. So I don't have the option of them performing anything much more complex than adding a few lines of code to their site.

The code though, needs to perform a sending of data to our server, somehow securely?

Is this an impossible scenario or would I need to perform some sort of auditing after the processing has occurred?

Thank you everyone for some good suggestions.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You can use SOAP to pass a username/password with the request. SSL should be used to encrypt the data going over the wire. Here is some code that we use:

This is a class that will hold the Credentials that are sent with the request:

Imports System.Web.Services.Protocols
Public Class ServiceCredentials

Inherits SoapHeader

Private _userName As String
Public Property UserName() As String
    Get
        Return _userName
    End Get
    Set(ByVal value As String)
        _userName = value
    End Set
End Property


Private _password As String
Public Property Password() As String
    Get
        Return _password
    End Get
    Set(ByVal value As String)
        _password = value
    End Set
End Property

Public Sub New()

End Sub

Public Sub NewUserInfo(ByVal ServiceUser As String, ByVal ServicePassword As String)
    Me.UserName = ServiceUser
    Me.Password = ServicePassword

End Sub

Add an attribute to the definition of your Web Service:

    <WebMethod()> _
<SoapHeader("CredentialsHeader")> _
   Function MyWebMethod(ByVal paremetersPassed as String)
   'check permissions here
   If PermissionsValid(CredentialsHeader) then
    'ok!
       .......
   else
       'throw a permission error
  end if
 End Function

And then from there, just create a function (in my example, PermissionsValid) to check the permissions:

Function PermissionsValid(byval Credentials as ServiceCredentials) as boolean

    'check Credentials.Username and Credentials.Password here and return a boolean
End Function

This may seem like a bunch of work, but this way, when they send a request, you can check it against a database or whatever else you want. You can also turn off a username easily at your end.

A simpler way would be to restrict the IP addresses that are allowed to hit the service page. But, then you run into issues with IP addresses changing, etc.

BTW, much of this was typed as I did the post, so you may need to check over the code to make sure it compiles. :)


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...