3

ドキュメントが mongodb に保存されているドキュメント用の安らかなサービスがあります。ドキュメント用の安らかな API は /document/:id です。最初は API の :id は mongodb のオブジェクト ID を使用していますが、deosこのアプローチは、データベース ID を明らかにし、仮名 ID に置き換えたい場合に潜在的な脅威を明らかにします。

それを仮名IDに置き換える必要がある場合、オブジェクトIDと仮名IDをあまり計算せずに前後に変換するためのアルゴリズム方法があるかどうか疑問に思います

4

1 に答える 1

1

First, there is no "database id" contained in the ObjectID.

I'm assuming your concern comes from the fact that the spec lists a 3 byte machine identifier as part of the ObjectID. A couple of things to note on that:

  1. Most of the time, the ObjectID is actually generated on the client side, not the server (though it can be). Hence this is usually the machine identifier for the application server, not your database
  2. The 3 byte Machine ID is the first three bytes of the (md5) hash of the machine host name, or of the mac/network address, or the virtual machine id (depending on the particular implementation), so it can't be reversed back into anything particularly meaningful

With the above in mind, you can see that worrying about exposing information is not really a concern.

However, with even a small sample, it is relatively easy to guess valid ObjectIDs, so if you want to avoid that type of traffic hitting your application, then you may want to use something else (a hash of the ObjectID might be a good idea for example), but that will be dependent on your requirements.

于 2013-05-02T11:00:10.670 に答える