如何保护REST Web服务（提供者） [英] How to secure RESTful Web Services (PROVIDER)

问题描述

我需要在提供商安全REST风格的服务。我想，用户必须使用授权的REST服务，我可以生成使用stadistic或者干脆不要让调用REST服务，如果isn't寄存器开发商。

I need secure Restfull services in the provider. I want that the user must have the authorization for use the REST service and I can generate use stadistic or simply dont allow call the REST services if isn´t a register developer.

我一直在想，用户在URL中发送电子邮件和密码（http://autor.derf.com/api/search/email?=dsdfd@gmail.com&passwd=dasffsdf;），但心不是非常安全的。

I have been thinking about that the user send the email and password in the URL (http://autor.derf.com/api/search/email?=dsdfd@gmail.com&passwd=dasffsdf;) but isnt very safe.

此外，我已经阅读了解OAuth 2.0，但该文档是非常非常糟糕的Java。

Also I have read about oauth 2.0 but the documentation is very very bad for Java.

还有没有其他的办法有一个授权RESTful的API？

Are there any other way to have an RESTful api with authorization?

我想通过在iPhone，Android，Windows手机和网络

I want a Restfull API access by Iphone, Android, Windows Phone and web

在此先感谢;）

推荐答案

如果你打算写自己（iPhone，Android手机等）服务的所有客户端，然后发送电子邮件和密码是一个体面的替代品，只要供应商通过安全传输层通信（如SSL / HTTPS）。

If you plan to write all the clients for the service yourself (iPhone, android etc) then sending email and password is a decent alternative, as long as the provider communicates over a secure transport layer (e.g SSL/HTTPS).

如果你觉得你想使你的API公开您可以随时添加对OAuth的1或2支持更高版本。 （使用OAuth整个构思是为了保护用户的密码，同时也为获得更精细的控制哪些API客户端可以使用，多长时间）。

You can always add support for OAuth 1 or 2 later if you feel that you want to make your APIs public. (The whole idea with OAUth is to protect user's passwords, and also to get a more fine grained control over which APIs a client can use, and for how long).

但是，你的情况我至少会考虑使用基本身份验证，其中一个典型的HTTP请求看起来有点像这样的：

But, in your case I would at least consider using basic authentication, in which a typical HTTP request looks somewhat like this:

GET /path/to/api HTTP/1.1
Host: www.example.com
Authorization: Basic aHR0cHdhdGNoOmY=

散列后的基本简直是采用base64 EN codeD 用户名：密码，或在您的案件电子邮件：密码。如果有人拦截它，很容易简单地取消恩code，以获得纯文本的用户凭据。因此，HTTPS是必须的。

The hash after "Basic" is simply base64 encoded "username:password", or in your case "email:password". If anyone intercepts it, it is easy to simply un-encode to get the plain text user credentials. So HTTPS is a must.

资讯＆raquo; 基本身份验证的更多信息在Wikipedia 。

» More information on basic authentication at wikipedia.

这篇关于如何保护REST Web服务（提供者）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！