密码保护REST服务? [英] Password protecting a REST service?
问题描述
创建一个基本的REST服务之后,我得出的地步,可适当添加某种密码保护的,因为我需要验证我的用户都正确记录,并有足够的权限来执行任何行动他们将。
After creating a basic REST service, I've have come to the point where it would be appropriate to add some sort of password protection, as I need to verify that my users are both properly logged and have sufficient permissions to execute whatever action they are going to.
REST服务将主要由一个Javascript重前端访问,并考虑到这一点,我想出了以下两个备选方案来解决这个问题:
The REST service will mainly be accessed from a Javascript-heavy frontend and with that in mind, I have come up with the two following alternatives to solve this:
-
请用户先发送凭据登录到
/登录页面POST。页面设置一个会话cookie其中用户是
标记为登录,使用的权限级别一起。在各个
下面的请求,我验证用户登录和他/她
权限级别。当会话过期,自动或
手动(注销,用户将不得不重新登录)。
Make users login by first sending credentials to a
/loginpage withPOST. The page sets a session cookie wherein the user is marked as logged in, along with the permission level. On each following request, I verify that the user is logged in and his/her permission level. When the session expires, automatically or manually (logout, the user will have to re-logon).
暂时保存在本地哈希凭据,并发送用户凭据一起由用户验证凭据和放大器制成的每一个请求;对每个请求的权限后端。
Temporarily save the credentials hashed locally and send the users credentials along every single request made by the user to verify the credentials & permissions backend on a per-request basis.
是否有更多的方式来解决这个问题,是有别的东西,我应该关心?
Are there more ways to solve this and is there something else that I should be concerned with?
推荐答案
我目前正在开发一个REST API与客户一起(写在的JavaScript 的),下面我会试着解释方法用于防止未经授权的访问API。
I'm currently developing a REST API along with a client (written in javascript), below I'll try to explain the methods used to protect the API against unauthorized access.
-
请您的REST API,要求在每个请求的API,一个
验证键头除了/ API /身份验证。
/ API /验证将用户名和密码(使用 POST 发送),和随着边返回用户信息的验证键。
/api/authenticate will take a username and a password (sent using POST), and return user information along side with the Auth-Key.
本验证键在通话结束后是随机生成的 / API /验证并存储在后端用户表与特定用户入口,一个 MD5 由提供的远程IP +用户代理的哈希值客户端。
This Auth-Key is randomly generated after a call to /api/authenticate and stored in the backend users table with the specific user entry, a md5 hash of the remote ip + the user agent provided by the client.
在每个请求的值验证密钥和 MD5 总和提到,搜索在用户。如果一个有效的用户发现,在过去期间一直活跃 N 分钟,用户将被授予访问权限,如果没有:http返回code 401
On every request the value of Auth-Key, and the md5 sum mentioned, is searched for in users . If a valid user is found that has been active during the past N minutes the user will be granted access, if not: http return code 401.
在REST客户端,首先获得验证键张贴到 / API /验证 ,那么这个值存储在一个变量,并在发送给未来的每一个要求。
In the REST client, first get the Auth-Key by posting to /api/authenticate, then store this value in a variable and send in on every future request.
这篇关于密码保护REST服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
