防止他人调用您的JSON Web服务 [英] Prevent others from calling your JSON web service
问题描述
如何防止他人复制和粘贴源代码,调用这些代码服务并获取第一个用户的结果集?
如果我将域名作为服务的参数或者获取其他用户名或密码,他们也可以复制和粘贴,并用于另一个域名。
我没有看到防止这种方式或我错了吗?
你是正确的,没有办法绝对防止这种情况发生,但你可以使它变得更加困难,并且你可以做到这一点,以便你可以识别用户是谁要么滥用API,要么自己被黑客入侵。
要做到这一点的方法是使用证书(非对称加密)。每个客户端都有一个私钥和一个公钥,这对客户来说是完全独一无二的。公钥是公共知识(通常存储在服务器或第三方数据库中,如Comodo或Verisign)。私钥对客户端是私有的。该服务器还具有私钥/公钥。
每次客户端发出请求时,都会使用服务器的公钥对请求进行加密,然后用客户端的签名(加密) >私钥。服务器的密钥确保只有服务器可以解密请求,并且客户端的密钥确保只有客户端可以加密该请求,从而使用客户端的公钥完全可逆。
这意味着恶意用户只能以自己的名字发出请求,所以您将知道是谁在乱搞,或者您知道哪个用户被盗用,因此您可以通知他/她并禁用他们的帐户。这还可以防止其他用户嗅探网络并恢复其他用户的请求来执行重播攻击。
还有其他方法可以实现此目的,例如使用安全cookie跟踪用户请求。我会发布一些关于安全cookie实现的有用问题的链接。其中一些适用于其他平台,但其概念是相同的。
这很重要,您可能需要做更多的阅读,然后开始实施。
其他有帮助的问题:
- REST Web服务认证令牌实现
-
https://stackoverflow.com/questions/15390354/api-key-alternative/15390892#15390892断开链接。
Let's say I have some code that creates an HTML page with a JSON service call.
How can I prevent others from copying and pasting the source code, calling the service and getting the result set for the first user?
If I get the domain as a parameter for the service or get something else like username or password, they could also be copied and pasted and used for another domain.
I don't see a way of preventing this or am I wrong?
You are correct that there is no way to absolutely prevent this, but you can make it a lot more difficult and you can make it so that you can identify the user who is either abusing the API or was hacked themselves.
The way to do this is by using certificates (asymmetric encryption). Each client has a private and a public key, that are completely unique to that client. The public key is public knowledge (typically stored on the server or in a third party database like Comodo or Verisign). The private key is private to the client. The server also has a private/public key.
Each time the client makes a request, the request is encrypted with the server's public key, and signed (encrypted) with the client's private key. The server's key ensures that only the server can decrypt the request, and the client's key ensures that only the client could have encrypted that request such that it is perfectly reversible using the client's public key.
This means that a malicious user will only be able to make requests under his/her own name, so you will know who is messing around, or you know which user was compromised so you can inform him/her and disable their account. This also prevents other users from sniffing on the wire and recovering another user's request to perform a replay attack.
There are other ways to implement this, such as using secure cookies to track the user requests. I'll post some links to helpful questions regarding secure cookie implementations for you. Some of these are for other platforms but the concepts are the same.
This is a lot to take in. You'll probably want to do some more reading before beginning your implementation.
Other helpful questions:
- REST Web Service authentication token implementation
- Security When Using REST API in an iPhone Application
https://stackoverflow.com/questions/15390354/api-key-alternative/15390892#15390892Link Broken.
这篇关于防止他人调用您的JSON Web服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
