Use h5 to develop cross-platform apps to ensure secure data interaction-server, h5app

Source: Internet
Author: User

Use h5 to develop cross-platform apps to ensure secure data interaction-server, h5app

The android development experience from eclipse to android studio tells me that the sound source development is the final truth. In fact, it was difficult to develop apps in html5 before. Although I have never understood it, however, it seems that it is too slow to run, and loading and rendering is not as slow as native development. Moreover, if the system interacts with hardware deeply, html5 cannot be used. By chance, I started to get started with html5 app development. In short, I had different advantages and disadvantages. If there is a shortage of funds, use html5 for a long time and use it together with an app, however, it is not as good as you think. If you want to learn it, you can try it yourself.

At the beginning of the APP design, you must first consider security issues and achieve high efficiency. Here I will share my practices (by checking online materials) and the app needs to interact with the server, obtain and display data by calling the api provided by the server. If the Server api does not provide any protection, it will be maliciously called by others. Otherwise, it will increase the burden on the server. Otherwise, it may cause economic losses.

First, we need to be able to identify whether the caller is a legal user. If the caller is valid, data is returned. If the caller is invalid, data is directly disabled. (Logon and unlogon will be performed below). The server uses the asp.net web api. When the client sends a request, add sign, ts, deviceid... sign = encryption algorithm (ts + deviceid + ***). The specific method depends on the individual. After the server obtains the data, it determines on the server. If the time is five minutes, or if the signature is incorrect, access is immediately prohibited. Set the access level to level 3: 1. You can access the service without any authentication. 2. Only clients can access the service and perform signature authentication. 2. logon authentication. You must log in to access the service. Logon authentication uses the popular token method. When a user logs on, if the login succeeds, the server generates a string encrypted string as the token according to certain rules, and then sends it to the client, after that, each time the client requests data, it must submit the token and user name to the server. If not, the server will jump back to the login page and log on again for verification.

1 using System; 2 using System. linq; 3 using System. net; 4 using System. net. http; 5 using System. web. http. controllers; 6 using System. web. http. filters; 7 using KubuServerBLL; 8 using yxxrui; 9 10 namespace ***** Server 11 {12 public class MyApiActionFilter: ActionFilterAttribute 13 {14 public const int NOT_AUTHENTICATION = 1; 15 public const int NOT_LOGIN = 2; 16 public const int NEED_LOGIN = 3; 1 7 private const string ApiPrivateKey = "aaaaaasdfadfadfgfdgjldfajooilsdkjfad *** sfhdjk"; // the client and mobile phone must be consistent 18 private readonly int _ level; 19 20 public MyApiActionFilter () 21 {22 _ level = NEED_LOGIN; 23} 24 public MyApiActionFilter (int level) 25 {26 _ level = level; 27} 28 29 public override void OnActionExecuting (HttpActionContext context) 30 {31 // three levels. 1. No verification required. 2. Check whether the authentication is from a valid client. 3. Check whether the 32 switch (_ Level) 33 {34 case NOT_AUTHENTICATION: 35 break; 36 case NOT_LOGIN: 37 if (IsForbidden (context) 38 {39 context. response = new HttpResponseMessage (HttpStatusCode. gone); 40} 41 break; 42 case NEED_LOGIN: 43 if (IsForbidden (context) | IsNotLogin (context) 44 {45 context. response = new HttpResponseMessage (HttpStatusCode. forbidden); 46} 47 break; 48} 49 // if the request is illegal, 50 base is prohibited. onActionExecut Ing (context); 51 // verification passed 52 53} 54 55 private readonly UserBll _ userBll = new UserBll (); 56 private bool IsNotLogin (HttpActionContext context) 57 {58 try 59 {60 // GET request header information 61 var requestHeaders = context. request. headers; 62 // device ID 63 var usernameH = requestHeaders. where (d => d. key = "username "). toList (); 64 string username = usernameH. any ()? UsernameH. first (). value. toArray () [0]: ""; 65 if (string. isNullOrWhiteSpace (username) 66 {67 return true; 68} 69 70 // request signature 71 var tokenH = requestHeaders. where (d => d. key = "token "). toList (); 72 string token = tokenH. any ()? TokenH. first (). value. toArray () [0]: ""; 73 if (string. isNullOrWhiteSpace (token) 74 {75 return true; 76} 77 var isLogin = _ userBll. checkToken (username, token); 78 return! IsLogin; 79} 80 catch 81 {82 return true; 83} 84} 85 86 // <summary> 87 // verify the request header 88 // </summary> 89 // <param name = "context"> </param> 90 // <returns> </returns> 91 private bool IsForbidden (HttpActionContext context) 92 {93 try 94 {95 // GET request header information 96 var requestHeaders = context. request. headers; 97 // device ID 98 var deviceIdH = requestHeaders. where (d => d. key = "deviceId "). toList (); 99 string d EviceId = deviceIdH. Any ()? DeviceIdH. first (). value. toArray () [0]: ""; 100 if (string. isNullOrWhiteSpace (deviceId) 101 {102 return true; 103} 104 105 // request signature 106 var signH = requestHeaders. where (d => d. key = "sign "). toList (); 107 string sign = signH. any ()? SignH. first (). value. toArray () [0]: ""; 108 if (string. isNullOrWhiteSpace (sign) 109 {110 return true; 111} 112 113 // 10-bit timestamp 114 var tsH = requestHeaders. where (d => d. key = "ts "). toList (); 115 string ts = tsH. any ()? TsH. First (). Value. ToArray () [0]: ""; 116 if (string. IsNullOrWhiteSpace (ts) | ts. Length! = 10) 117 {118 return true; 119} 120 121 // check whether it is invalid. Before and after 5 minutes, 122 var tsDate = ComHelper. convertIntDateTime (ts); 123 if (tsDate> DateTime. now. addMinutes (5) | tsDate <DateTime. now. addMinutes (-5) 124 {125 return true; 126} 127 // Sign128 string mysign = ComHelper generated by the server. to encryption (deviceId + ts + ApiPrivateKey); 129 if (! Sign. Equals (mysign, StringComparison. InvariantCultureIgnoreCase) 130 {131 return true; 132} 133} 134 catch135 {136 return true; 137} 138 return false; 139} 140} 141}
Use the following method to create the above class:
1 using System; 2 using System. collections. generic; 3 using System. linq; 4 using System. net; 5 using System. net. http; 6 using System. web. http; 7 using ***** ServerBLL; 8 using ***** ServerDAL; 9 using ***** ServerModel; 10 11 namespace ***** Server. controllers. api12 {13 public class NameValuesController: ApiController14 {15 private readonly NameValuesBll _ nameValuesBll = new NameValuesBll (); 16 17 [HttpPost] 18 [MyApiActionFilter (2)] // set tag blocking here. The level is set to 19 public BaseMsg GetUpdateVersion (dynamic obj) 20 {21 string clientVersion, deviceId; 22 try23 {24 clientVersion = Convert. toString (obj. clientVersion); 25 deviceId = Convert. toString (obj. deviceId); 26} 27 catch28 {29 return new BaseMsg ("error message. "); 30} 31 32 var versionObj = _ nameValuesBll. getValueByName ("version"); 33 var urlObj = _ nameValuesBll. getValueByName ("AndroidUrl"); 34 35 if (versionObj = null | urlObj = null) 36 {37 return new BaseMsg ("acquisition failed, please try again. "); 38} 39 if (versionObj. value! = ClientVersion) 40 {41 return new BaseMsg (new42 {43 Version = versionObj. value, 44 AndroidUrl = urlObj. value, 45 UpdateMemo = versionObj. other46}); 47} 48 return new BaseMsg ("noNewVersion", "is the latest version and does not need to be updated. ", Null); 49} 50} 51}
The above method is an interface to check whether the software needs to be updated. This method can be implemented on the server for gray update, but it may increase the burden on the server. If the app needs to check for updates, you can directly call this api. This interface requires signature authentication.
If you want to have an interface that must be sent by your own client and can be accessed only after the user has successfully logged on, you can use the label [MyApiActionFilter (2)] on the method. you can change the number to 3 or delete it directly, for example:
1 # bind the region mobile phone number 2 [HttpPost] 3 [MyApiActionFilter] 4 public BaseMsg BindingPhone (dynamic obj) 5 {6 string phone; 7 string username; 8 try 9 {10 phone = Convert. toString (obj. phone); 11 username = Convert. toString (obj. username); 12} 13 catch14 {15 return new BaseMsg ("error message. "); 16} 17 bool ret = _ userBll. bindingPhone (username, phone); 18 if (ret) 19 {20 return new BaseMsg (); 21} 22 return new BaseMsg (@ "this mobile phone number has been registered. "); 23} 24 # endregion

 

If all the api methods in the Controller need to be logged on before they can be used, place the tag above the class. If n controllers need to be accessed after logon, create a base class to inherit ApiController, write tags on the class, and other controllers inherit the base class to quickly implement the required functions. Now, the server interface is simply protected. The Code Implementation of the client is later written.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.