保护Grails REST服务以用于移动应用程序 [英] Securing Grails REST service for use with mobile applications

问题描述

我正在忙于做一些关于在移动应用程序中使用REST服务的研究，并希望得到一些见解。场景如下。

考虑一个为用户提供服务的Web应用程序。 Web应用程序也将成为用户的主要交互点。这将在Grails中完成，并通过Spring Security进行保护。

现在，我们希望提供REST服务，以便用户可以通过移动应用程序使用服务。由于Grails对现有的Web应用程序RESTful有很好的支持，我们将使用内置的Grails支持。

现在我的问题是，什么是最好的方式来保护REST服务接口，以便可以从移动应用程序中使用它（原生iOS，Andriod，WM7，BB）。

$ b 交换的信息是高度敏感，所以越安全，越好。

谢谢 解决方案

我们决定将我们的grails项目分成三部分...

• model-domain-project（这是admin部分所有视图/控制器脚手架以及所有服务，域）


• web-app（这是主要的应用程序，控制器和视图）
  
• api-rest-app（这是其余的控制器）

model-domain-project是一个插在网络上的插件-app和api-app包含域模型，服务和所有数据库se安全性，交易等。

web应用程序是所有的html模板，视图和控制器，这里我们使用的是Spring Security的属性。

我们正在使用grails-filters的api-rest-app，并且我们通过https使用基本授权，并使用带有过期日期的令牌...

如果令牌的到期日期已到，您将不得不要求另一个带有请求令牌的令牌，我们向您发送了第一个令牌...（它或多或少像oauth2） p>

要获得两个第一令牌，您必须通过用户/手机/密码登录确认设备，然后通过短信接收密钥，您必须输入应用程序

不知道这是否是最好的方式，但这是我们做这件事的方式......

有时我们使用网络应用程序作为客户端并调用api-rest-app ...

I am busy doing some research into using REST services with mobile applications and would appreciate some insight. The scenario is as follows.

Consider a web application that provides a service to users. The web application will also be the main interaction point for the users. This will be done in Grails, and secured with Spring Security.

Now, we want to provide a REST service so that users can use the service via mobile applications. Since Grails has such nice support for making the existing web application RESTful, we will use the built-in Grails support for that.

My question now is, what would be the "best" way to secure the REST service interface so that it can be use from mobile applications (native- iOS, Andriod, WM7, BB).

The information exchanged are highly sensitive, so the more secure, the better.

Thanks

解决方案

We decided to split our grails project in three...

• model-domain-project (This is the "admin" section with all the views/controller scaffolded, and all the services, domain)
• web-app (this is the main application, controllers, views)
• api-rest-app (this is the rest controllers)

The model-domain-project is a plugin that it's plugged in the web-app and the api-app, contains the domain model, services, and all the database security, transactions, etc.

The web-app is all the html templates, views and controllers, here we are using the attributes of Spring Security

The api-rest-app we are using grails-filters and we are using Basic-Authorization via https with a token with an expiration date...

if the expiration date of the token is reached you will have to ask for another token with a "request-token" we sent you with the first token... (it's more or less like oauth2)

To get the two first tokens, you will have to confirm the device via a login with user/phone/password then you receive a key via sms that you will have to enter in the app

Do not know if this the best way, but it's the way we do it...

Sometimes we are using the web-app as client and call the api-rest-app...

这篇关于保护Grails REST服务以用于移动应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！