We have a client that calls our web services. How can we make sure that it is only our cli开发者_运维技巧ent application that is calling the web service and not a client someone else created that calls our web services.
We'd like to avoid hard coding a password into the application.
A quick answer to your question would be to look into OAuth. Implementing OAuth correctly is a process so I would read up on the protocol documentation. Here is a link to example OAuth client libraries. I would also search StackOverflow for advice on OAuth implementations.
In this case you can use two-legged OAuth. This is a variation on standard OAuth and used by companies such as SimpleGeo. Then secure the communication with https and you have robust solution.
If you don't care about clients not running in a browser, then you can use XSRF tokens, a secret per session that is either associated with some session key in your backend, or round-tripped through two separate paths, such as via a hidden form input and a cookie over a secure channel. If you can't secure the channel, you have to make the tokens single-use. See http://www.cgisecurity.com/csrf-faq.html#protectapp
You can't in the general case. A reasonably intelligent hacker can probably reverse engineer any protocol you use, and extract any secrets you embed in the source code.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论