I have a Java Web Start Application which communicates against my server via a web service (over https). I want to restrict the usage of the webservice to my app only, so that 3rd party apps don't work.
我有一个Java Web Start应用程序,它通过Web服务(通过https)与我的服务器通信。我想将webservice的使用仅限于我的应用程序,以便第三方应用程序不起作用。
What strategies to I have? This question is somewhat broad, but running in JWS disables some options, like doing a checksum over all jars (at least I don't know a way of doing this in a JWS environment).
我有什么策略?这个问题有点宽泛,但在JWS中运行会禁用一些选项,例如对所有jar进行校验和(至少我不知道在JWS环境中这样做的方法)。
I can always implement my own auth scheme, but since the client code is on the client-side, one can always disassemble the class files and crack the auth mechanism.
我总是可以实现自己的身份验证方案,但由于客户端代码位于客户端,因此可以始终反汇编类文件并破解身份验证机制。
1 个解决方案
#1
3
Remember that if the client is communicating with the server over https, the user can easily replace the JWS client with something else that also communicates over https. Anything the JWS client could sent to "prove" its identity could be faked pretty easily. You could use client certificates (or numerous other types of authentication) to make sure only users with access to the JWS client could connect, but they will always be able to extract what they need from the JWS client to connect with something else.
请记住,如果客户端通过https与服务器通信,则用户可以使用通过https进行通信的其他内容轻松替换JWS客户端。 JWS客户端可以发送以“证明”其身份的任何内容都可以很容易地伪造。您可以使用客户端证书(或许多其他类型的身份验证)来确保只有具有JWS客户端访问权限的用户才能连接,但他们始终能够从JWS客户端提取他们需要的内容以连接其他内容。
The service needs to be secured based on what the user should be allowed to do.
需要根据用户应该允许的内容来保护服务。
#1
3
Remember that if the client is communicating with the server over https, the user can easily replace the JWS client with something else that also communicates over https. Anything the JWS client could sent to "prove" its identity could be faked pretty easily. You could use client certificates (or numerous other types of authentication) to make sure only users with access to the JWS client could connect, but they will always be able to extract what they need from the JWS client to connect with something else.
请记住,如果客户端通过https与服务器通信,则用户可以使用通过https进行通信的其他内容轻松替换JWS客户端。 JWS客户端可以发送以“证明”其身份的任何内容都可以很容易地伪造。您可以使用客户端证书(或许多其他类型的身份验证)来确保只有具有JWS客户端访问权限的用户才能连接,但他们始终能够从JWS客户端提取他们需要的内容以连接其他内容。
The service needs to be secured based on what the user should be allowed to do.
需要根据用户应该允许的内容来保护服务。