I have a AngularJS Webapplication with Java Backend.
我有一个带Java后端的AngularJS Web应用程序。
Now i want to send a mail out of the Angular Application. I thought the best way is to send a post or get request to the webservice and send the Mail via an internal smtp server to the recipient.
现在我想从Angular应用程序中发送邮件。我认为最好的方法是发送帖子或获取请求到Web服务并通过内部smtp服务器将邮件发送给收件人。
But i think there is a big security problem with this concept. When i create a webservice call like: /api/mail?mailto=john@doe.com someone can take the link to the webservice, change the recipient and take this link to start spamming to other people.
但我认为这个概念存在很大的安全问题。当我创建一个web服务调用时,例如:/api/mail?mailto=john@doe.com,有人可以将链接发送到网络服务,更改收件人并使用此链接开始向其他人发送垃圾邮件。
Do someone know a secure way for this architecture to send a mail via a webservice? It is necessary that i have to pass the recipient to the mail service, because the user set this in the AngularJS UI.
有人知道这种架构通过Web服务发送邮件的安全方式吗?我必须将收件人传递给邮件服务,因为用户在AngularJS UI中设置了它。
I am happy about any suggestion.
我很高兴任何建议。
2 个解决方案
#1
0
Here are the security measures you should take for securing your rest api. REST Security Cheat Sheet Here is the list of security measures you should take for your rest API.
以下是您应该采取的安全措施,以确保您的休息api。 REST安全备忘单以下是您应该为其余API采取的安全措施列表。
- HTTPS
- HTTPS
- Access Control - For access control, you can API keys, OAuth, etc. take a look at this article https://stormpath.com/blog/secure-your-rest-api-right-way
- 访问控制 - 对于访问控制,您可以使用API密钥,OAuth等。看看这篇文章https://stormpath.com/blog/secure-your-rest-api-right-way
- Restrict HTTP methods - Can be handled in controller.
- 限制HTTP方法 - 可以在控制器中处理。
- Security headers - Use proper security header to prevent CORS, CSRF attack. (The attack you specified in your question). Have look in this article https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html.
- 安全标头 - 使用适当的安全标头来防止CORS,CSRF攻击。 (您在问题中指定的攻击)。请查看本文https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html。
- Pass Sensitive information in HTTP POST request
- 在HTTP POST请求中传递敏感信息
If you use spring-security you will be covered in most of this.
如果您使用spring-security,大部分内容都将涵盖在内。
#2
0
Use Mailgun. You can send 10,000 emails for free you can call the API via your Java backend, like so:
使用Mailgun。您可以免费发送10,000封电子邮件,您可以通过Java后端调用API,如下所示:
public static ClientResponse SendSimpleMessage() {
Client client = Client.create();
client.addFilter(new HTTPBasicAuthFilter(
"api","key-3ax6xnjp29jd6fds4gc373sgvjxteol0"));
WebResource webResource = client.resource(
"https://api.mailgun.net/v3/samples.mailgun.org/messages");
MultivaluedMapImpl formData = new MultivaluedMapImpl();
formData.add("from", "Excited User <excited@samples.mailgun.org>");
formData.add("to", "john@doe.com");
formData.add("subject", "Hello");
formData.add("text", "Testing some Mailgun awesomeness!");
return webResource.type(MediaType.APPLICATION_FORM_URLENCODED).
post(ClientResponse.class, formData);
}
This would be more secure than your implementation. I would also send the email address from the Angular client to your Java backend as a POST.
这比您的实现更安全。我还会将Angular客户端的电子邮件地址作为POST发送到您的Java后端。
#1
0
Here are the security measures you should take for securing your rest api. REST Security Cheat Sheet Here is the list of security measures you should take for your rest API.
以下是您应该采取的安全措施,以确保您的休息api。 REST安全备忘单以下是您应该为其余API采取的安全措施列表。
- HTTPS
- HTTPS
- Access Control - For access control, you can API keys, OAuth, etc. take a look at this article https://stormpath.com/blog/secure-your-rest-api-right-way
- 访问控制 - 对于访问控制,您可以使用API密钥,OAuth等。看看这篇文章https://stormpath.com/blog/secure-your-rest-api-right-way
- Restrict HTTP methods - Can be handled in controller.
- 限制HTTP方法 - 可以在控制器中处理。
- Security headers - Use proper security header to prevent CORS, CSRF attack. (The attack you specified in your question). Have look in this article https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html.
- 安全标头 - 使用适当的安全标头来防止CORS,CSRF攻击。 (您在问题中指定的攻击)。请查看本文https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html。
- Pass Sensitive information in HTTP POST request
- 在HTTP POST请求中传递敏感信息
If you use spring-security you will be covered in most of this.
如果您使用spring-security,大部分内容都将涵盖在内。
#2
0
Use Mailgun. You can send 10,000 emails for free you can call the API via your Java backend, like so:
使用Mailgun。您可以免费发送10,000封电子邮件,您可以通过Java后端调用API,如下所示:
public static ClientResponse SendSimpleMessage() {
Client client = Client.create();
client.addFilter(new HTTPBasicAuthFilter(
"api","key-3ax6xnjp29jd6fds4gc373sgvjxteol0"));
WebResource webResource = client.resource(
"https://api.mailgun.net/v3/samples.mailgun.org/messages");
MultivaluedMapImpl formData = new MultivaluedMapImpl();
formData.add("from", "Excited User <excited@samples.mailgun.org>");
formData.add("to", "john@doe.com");
formData.add("subject", "Hello");
formData.add("text", "Testing some Mailgun awesomeness!");
return webResource.type(MediaType.APPLICATION_FORM_URLENCODED).
post(ClientResponse.class, formData);
}
This would be more secure than your implementation. I would also send the email address from the Angular client to your Java backend as a POST.
这比您的实现更安全。我还会将Angular客户端的电子邮件地址作为POST发送到您的Java后端。