我在同一台服务器上有2个Tomcat Web应用程序; 它们都受登录/会话保护。 我需要从一个应用程序向另一个应用程序发送URL请求。 在我的URL请求中,我添加了一个字段以绕过接收Web应用程序的会话安全性。
我仍然希望确保只有特定请求才能绕过安全性。 因此,我首先将我的请求发送到同一应用程序中的安全JSP,然后我将一个带有一些安全密钥的cookie添加到我的请求中,将此请求转发给第二个应用程序,然后在接收servlet中读取此cookie以允许绕过。
这个设计足够安全吗? 还有什么可以做的?
I have 2 Tomcat web applications on the same server; both of them are protected by login/session. I need to send a URL request from one application to another. In my URL request I add a field to bypass a session security at the receiving Web application.
I still want to make sure that only specific requests can bypass security. So, I send my request first to a secure JSP in the same application, then I am adding a cookie with some security key to my request, forward this request to the 2nd application and then read this cookie in the receiving servlet to allow bypass.
Is this design safe enough? What can be done else?
最满意答案
好吧,使用cookie应该足够好,但你可以通过加密来加强持久性preferable way to encrypt/decrypt使用HMAC的 preferable way to encrypt/decrypt
同样在cookie中, you can store the ipaddress of the originating request and always validate against the valid list in Application 2 Well using cookie should be good enough , but you can put more strong hold by encrypting thempreferable way to encrypt/decrypt use HMAC
Also in cookie , you can store the ipaddress of the originating request and always validate against the valid list in Application 2更多推荐
发布评论