Is there any security issue if let say in one application we do a hidden post to another application to make use of that application functionality?
如果在一个应用程序中我们对另一个应用程序执行隐藏的帖子以利用该应用程序功能,是否存在任何安全问题?
2 个解决方案
#1
1
Depends. Are you using some sort of authentication and encryption?
要看。您使用某种身份验证和加密吗?
There are ways this could cause many security issues. Though you could say that of many implementations. Most anything configured badly can be a security issue.
有些方法可能会导致许多安全问题。虽然你可以说很多实现。大多数配置不当都可能是安全问题。
#2
1
It would be much better to wrap the other app's functionality in a web service. This will give you a small layer of isolation from any changes in the called app's interface (ex. additional elements within the form body).
将其他应用程序的功能包装在Web服务中会好得多。这将为您提供一个与被调用应用程序界面中的任何更改隔离的小层(例如,表单主体中的其他元素)。
That said, as stated in another answer, authentication and encryption are important. However, it won't really be more or less secure than just using the other app directly through its UI.
也就是说,如另一个答案所述,身份验证和加密很重要。但是,它不会比仅通过其UI直接使用其他应用程序更安全或更不安全。
Edit: There is at least one situation which can lead to the new scenario being less secure than the old one. If the called app uses purely client-side validation of the input data (bad idea), you will have to duplicate that validation when doing the cross post.
编辑:至少有一种情况可能导致新方案的安全性低于旧方案。如果被调用的应用程序使用输入数据的纯客户端验证(坏主意),则在进行交叉发布时必须复制该验证。
#1
1
Depends. Are you using some sort of authentication and encryption?
要看。您使用某种身份验证和加密吗?
There are ways this could cause many security issues. Though you could say that of many implementations. Most anything configured badly can be a security issue.
有些方法可能会导致许多安全问题。虽然你可以说很多实现。大多数配置不当都可能是安全问题。
#2
1
It would be much better to wrap the other app's functionality in a web service. This will give you a small layer of isolation from any changes in the called app's interface (ex. additional elements within the form body).
将其他应用程序的功能包装在Web服务中会好得多。这将为您提供一个与被调用应用程序界面中的任何更改隔离的小层(例如,表单主体中的其他元素)。
That said, as stated in another answer, authentication and encryption are important. However, it won't really be more or less secure than just using the other app directly through its UI.
也就是说,如另一个答案所述,身份验证和加密很重要。但是,它不会比仅通过其UI直接使用其他应用程序更安全或更不安全。
Edit: There is at least one situation which can lead to the new scenario being less secure than the old one. If the called app uses purely client-side validation of the input data (bad idea), you will have to duplicate that validation when doing the cross post.
编辑:至少有一种情况可能导致新方案的安全性低于旧方案。如果被调用的应用程序使用输入数据的纯客户端验证(坏主意),则在进行交叉发布时必须复制该验证。