发送凭据的URL,可能吗? [英] send credentials with url, possible?
问题描述
我得到了我基本的身份验证保护和利用SSL的Web服务。以方便为都不见了使用此Web服务,我想跳过401,并与URL发送给凭证的客户端(我想这样客户可以使用URL从code / Web应用程序访问Web服务),问题是这可能吗?
I got a web service that I protect with basic authentication and use ssl. to make it easy for the clients that are gone use this web service I want to skip the 401 and send the credentials with the url (I would like so the customer can access the web service with url from their code / web app), question is this possible?
我知道的信息,但是很多了客户的使用没有得到适当的开发团队做code。
I know about headers but a lot of the clients gone use this do not got the proper developing team to do code.
感谢
推荐答案
好了,你肯定可以,但你真的不应该。在URL纯文本格式发送信息是不好的,因为这URL可能在几个不同的地方获取缓存,一般不必要的暴露敏感信息。你可以在发送之前进行加密,但是这可能是更多的麻烦比它的价值。
Well, you certainly could, but you really shouldn't. Sending information in plain text in the URL is bad, since that URL may get cached in several different places and generally unnecessarily exposes sensitive information. You could encrypt it before sending it, but that's probably more trouble than it's worth.
有关使用纯粹的基于URL的身份验证接受的方法是某种形式的令牌。你需要通过一个标准的登录程序,虽然生成令牌。 附录:另外请注意,这比把明文密码的URL更好,但仍然有它自身的问题。网址是更广泛的记录,缓存,比其他头信息书签。至少你保留令牌的控制权,但并经过一段时间后会过期的,而在URL密码不能简单地到期。
The accepted method for using a purely URL based authentication is a token of some sort. You'll need to go through a standard login procedure to generate the token though. Addendum: Also note that that's better than putting the plain text password in the URL, but still has it's share of problems. URLs are more widely logged, cached and bookmarked than other header information. At least you retain control of the token though and can expire it after some time, whereas a password in the URL can't simply be expired.
如果你正在开发一个API,我认为这是合理的足够需要一些认证过程。如果您的客户端无法做到这一点,提供了一个图书馆或code片段,会帮助他们。
If you're developing an API, I think it's reasonable enough to require some authentication procedure. If your clients can't do it, offer a library or code snippets that'll help them.
这篇关于发送凭据的URL,可能吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
