防止未经授权的应用程序的Web API [英] Protect Web API from unauthorized applications
问题描述
我的工作,使用了大量的AJAX与服务器进行通信的网页上。服务器,反过来,拥有广泛的REST / JSON API露出不同的操作调用的Web客户端。
I am working on a web page that uses a lot of AJAX to communicate with the server. The server, in turn, has an extensive REST/JSON API exposing the different operations called by the web client.
本网站所使用的匿名和验证通过的用户。正如你所期望的,通过身份验证的用户发出的Web服务调用需要进行身份验证,并因此免遭未经授权的用户或应用程序。
This web site is used by both anonymous and authenticated users. As you might expect, the web service calls issued by authenticated users require authentication, and are thus protected from unauthorized users or applications.
不过,该网站有很多是不需要身份验证功能,而其中的一些使用匿名的网络服务。从调用这个Web服务我使用到prevent外界的唯一方法是通过使用的 CSRF令牌。我知道,CSRF令牌是不是在这方面非常有用...在手一段时间,你可以找出如何,即使他们使用CSRF令牌使用的Web服务。
However, the web site has a lot of features that require no authentication, and some of these make use of anonymous web services. The only way I am using to prevent outsiders from calling this web services is by using a CSRF token. I know, the CSRF token is not very useful in this regard... with some time in hand, you can figure out how to consume the web services even if they use a CSRF token.
当然,你也可以使用一个验证码,以prevent应用程序或从机器人自主使用网络服务。然而,任何人将能够使用它。
Of course, you can use a CAPTCHA to prevent applications or bots from autonomously using your web service. However, any human will be able to use it.
共享客户端和服务器之间的密钥,在另一边,也没用。因为任何外人从网页源$ C $ C阅读的能力。这一点,
Sharing a secret key between client and server, on the other side, would be useless. This, because of the ability of any outsider to read it from the web page source code.
我想使这些Web服务一样难以调用的更多钞票给任何第三方应用程序。请问您除了使用CSRF令牌呢?这听起来有点傻,但嘿,也许这是愚蠢的,我只是失去了我的时间。
I would like to make these web services as difficult to invoke as posible to any 3rd party application. What would you do besides using the CSRF token? It sounds a little stupid, but hey, maybe it is stupid and I am just losing my time.
注:考虑到本应用程序使用的浏览器,而不是一个可执行文件作为客户端,这个问题是无关的讨论。我不能使用服务器和客户端之间的秘密(据我所知,至少)的
Note: given this application uses a browser and not an "executable" as the client, this question is irrelevant to the discussion. I cannot use a secret between server and client (not to my knowledge, at least)
推荐答案
这仅仅是基于RSA的概念,一个想法,也把欺诈检测你的系统上。从授权用户的风险极小但它们也可以尝试进行匿名电话到您的Web服务了。
This is just an idea based on the concept of RSA and also placing Fraud Detection on your system. The Risk from Authorized users is minimal however they can attempt to make anonymous calls to your web-service too.
有关联合国授权用户:对于每个Web服务调用,生成令牌说,使用RSA一段时间后,其变化(可配置说30分钟)。的code这样prediction最小化。我没有听说过RSA碰撞到现在。发送该令牌回到了他的浏览器会话的用户。为了提高安全性,我们可能要附加的会话ID与RSA令牌。由于会话ID是唯一的新的匿名电话将需要新的会话ID。
For UN-Authorised users : For each web-service call , generate a token say using RSA which changes after some time(can be configured say 30 min). This way prediction of code is minimized. I have not heard of RSA collision till now. Send this token back to the user for his browser session. For further security , we might want to attach a session id with RSA token. Since session ids are unique new anonymous calls would require new session id.
呼叫可以使用审核机制进行跟踪。同时每个Web服务可以有不同的RSA的设置。如何算法的欺诈检测工作将是一个挑战本身。
Calls can be tracked using Auditing mechanism. Also per-web service there can be a different RSA setup. How the Algorithm for Fraud Detection would work is a challenge by itself.
有关授权用户: 每个用户都应该由他用头块IP地址进行跟踪。在RSA令牌原理可以应用。
For Authorized Users : Every user should be tracked by his IP Address using Header block. The RSA token principle can be applied.
该解决方案是非常模糊的,但值得考虑。
The solution is very vague but worth considering.
这篇关于防止未经授权的应用程序的Web API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
