问题描述
我阅读了这篇文章 http://www.asp.网络/信号器/概述/安全性/安全性介绍#connectiontoken
$.connection.hub.qs = { "token" : tokenValue };
$.connection.hub.start().done(function() { /* ... */ });
.NET客户端
var connection = new HubConnection("http://foo/",
new Dictionary<string, string>
{
{ "token", tokenValue }
});
在集线器内部,您可以通过上下文访问社区名称:
Inside a Hub you can access the community name through the Context:
Context.QueryString["token"]
在.NET客户端上设置标题
var connection = new HubConnection("http://foo/");
connection.Headers.Add("token", tokenValue);
我注意到我们可以从客户端将一些令牌值作为查询字符串传递给集线器功能.....如果我传递任何内容,因为查询字符串不安全.因此,请告诉我最好的方法,以安全的方式将令牌值从客户端传递到集线器功能,结果是没人能破解/更改或重用该令牌值.
i notice that we can pass some token value from client side to hub function as query string.....if i pass the anything as query string is not safe. so tell me best way to pass token value in secured way from client to hub function as a result no one can hack/change or reuse that token value.
一个人说, SignalR使用加密和数字签名来保护连接令牌..所以请告诉我,信号器首先加密令牌值然后从客户端传递到集线器是真的吗?
one guy said SignalR uses encryption and a digital signature to protect the connection token..so please tell me is it true that signalr first encrypt token value and then pass from client side to hub?
我建议人们如何以安全的方式将令牌值传递给集线器.谢谢
suggest me how one can pass token value to hub in secure way. thanks
推荐答案
您可以在javascript客户端中使用标头,例如:
You can use headers in the javascript client like this for example:
$.signalR.ajaxDefaults.headers = { Authorization: "Bearer " + yourToken };
现在不是hacky,这是一个全局设置,您可以在启动或成功进行身份验证响应时执行一次!享受吧!
Now not hacky and is a global setting you can do once at startup or successful auth response! Enjoy!
现在,仅当我能够找到一种基于每个请求的方法来覆盖此方法,以便我可以让用户模拟沙箱为我的管理角色用户工作时...
Now only if I can find a way to override this on a per-request basis so I can get a user emulation sandbox working for my users in administrative roles...
这篇关于从Signalr JS客户端到集线器功能传递连接令牌是安全的或容易受到攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!