如何保护在 playframework 中开发的 REST api [英] How do I secure my REST api developed in playframework
问题描述
我在此处和其他文章中阅读了很多关于此的内容.先说明一下我的情况.
I have read a lot about this on here and other articles. First let me explain my situation.
假设我有以下 REST 后端:
Let's say I have the following REST backend:
GET/user 以 JSON 格式返回所有用户.(无需登录)POST/user 注册新用户.(无需登录)DELETE/user 删除用户.(您确实需要登录)
GET /user returns all users in JSON. (No need to be logged-in)
POST /user registers new user. (No need to be logged-in)
DELETE /user deletes a user. (You do need to be logged-in)
POST/login 发布登录凭据并在成功验证时返回 200 OK.此外,这会创建一个带有 username 的 session.
POST /login posts login credentials and returns a 200 OK on succesful authentication. Also this creates a session with the username.
DELETE/login 注销,这会删除会话.
DELETE /login logout, this deletes the session.
对于用户身份验证和角色,我使用 Deadbolt-2,例如当 DELETE/user 首先被调用时,将查看 session 以确定您是否已登录然后 username 用于确定您是否拥有正确的权限.
For user authentication and roles I use Deadbolt-2 so for example when DELETE /user is called first the session will be viewed to determine whether you are logged-in and then the username is used to determine if you have the correct permissions.
这有效.我的问题不是关于这种授权/认证.然而,它与以下内容有关:
This works. My question is not about this kind of authorization/authentication. It is however about the following:
我想以某种方式保护公共"API 调用,例如:GET/user,以便只有获得我批准的前端应用程序 可以访问它们.
I want to secure the "public" API calls like: GET /user in a way so only front-end applications that are approved by me can access them.
我已经阅读了很多关于 api-keys、HMAC 和 oAuth 的内容.但在我看来,他们谈论的是第一种情况,而不是第二种情况.那么在我的情况下我将如何处理这个问题?
I have read a lot about api-keys and HMAC and oAuth. But it seems to me they are talking about the first scenario and not the second. So how would I go about this in my situation ?
感谢您抽出宝贵时间.
推荐答案
您可能会发现这个 保护单页应用程序和 REST 服务 文章,作者为 James Ward 很有用,它是使用 Play Framework、Java、jQuery 和 CoffeeScript 构建的.
You might find this Securing Single Page Apps and REST Services article by James Ward useful, it's built using Play Framework, Java, jQuery, and CoffeeScript.
参考来源在这里:https://github.com/jamesward/play-休息安全/
这篇关于如何保护在 playframework 中开发的 REST api的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
