如何保护REST Web服务(提供者) [英] How to secure RESTful Web Services (PROVIDER)
问题描述
我需要在提供商安全REST风格的服务。我想,用户必须使用授权的REST服务,我可以生成使用stadistic或者干脆不要让调用REST服务,如果isn't寄存器开发商。
I need secure Restfull services in the provider. I want that the user must have the authorization for use the REST service and I can generate use stadistic or simply dont allow call the REST services if isn´t a register developer.
我一直在想,用户在URL中发送电子邮件和密码(http://autor.derf.com/api/search/email?=dsdfd@gmail.com&passwd=dasffsdf;),但心不是非常安全的。
I have been thinking about that the user send the email and password in the URL (http://autor.derf.com/api/search/email?=dsdfd@gmail.com&passwd=dasffsdf;) but isnt very safe.
此外,我已经阅读了解OAuth 2.0,但该文档是非常非常糟糕的Java。
Also I have read about oauth 2.0 but the documentation is very very bad for Java.
还有没有其他的办法有一个授权RESTful的API?
Are there any other way to have an RESTful api with authorization?
我想通过在iPhone,Android,Windows手机和网络
I want a Restfull API access by Iphone, Android, Windows Phone and web
在此先感谢;)
推荐答案
如果你打算写自己(iPhone,Android手机等)服务的所有客户端,然后发送电子邮件和密码是一个体面的替代品,只要供应商通过安全传输层通信(如SSL / HTTPS)。
If you plan to write all the clients for the service yourself (iPhone, android etc) then sending email and password is a decent alternative, as long as the provider communicates over a secure transport layer (e.g SSL/HTTPS).
如果你觉得你想使你的API公开您可以随时添加对OAuth的1或2支持更高版本。 (使用OAuth整个构思是为了保护用户的密码,同时也为获得更精细的控制哪些API客户端可以使用,多长时间)。
You can always add support for OAuth 1 or 2 later if you feel that you want to make your APIs public. (The whole idea with OAUth is to protect user's passwords, and also to get a more fine grained control over which APIs a client can use, and for how long).
但是,你的情况我至少会考虑使用基本身份验证,其中一个典型的HTTP请求看起来有点像这样的:
But, in your case I would at least consider using basic authentication, in which a typical HTTP request looks somewhat like this:
GET /path/to/api HTTP/1.1
Host: www.example.com
Authorization: Basic aHR0cHdhdGNoOmY=
散列后的基本简直是采用base64 EN codeD 用户名:密码
,或在您的案件电子邮件:密码
。如果有人拦截它,很容易简单地取消恩code,以获得纯文本的用户凭据。因此,HTTPS是必须的。
The hash after "Basic" is simply base64 encoded "username:password"
, or in your case "email:password"
. If anyone intercepts it, it is easy to simply un-encode to get the plain text user credentials. So HTTPS is a must.
资讯» 基本身份验证的更多信息在Wikipedia 。
» More information on basic authentication at wikipedia.
这篇关于如何保护REST Web服务(提供者)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!