如何防止直接访问我的JSON服务? [英] How to prevent direct access to my JSON service?
问题描述
我有一个JSON网络服务来返回我的Google地图上显示的家庭标记。
I have a JSON web service to return home markers to be displayed on my Google Map.
基本上, http://示例。 com
调用Web服务以找出所有地图标记的位置,如下所示:
Essentially, http://example.com
calls the web service to find out the location of all map markers to display like so:
http://example.com/json/?zipcode=12345
它返回一个JSON字符串,如as:
And it returns a JSON string such as:
{"address": "321 Main St, Mountain View, CA, USA", ...}
所以在我的 index.html
页面上,我拿了那个JSON字符串并放置地图标记。
So on my index.html
page, I take that JSON string and place the map markers.
然而,我不希望发生的是人们直接呼叫我的JSON网络服务 。
However, what I don't want to have happen is people calling out to my JSON web service directly.
我只想 http://example.com/index.html
才能打电话我的 http://example.com/json/
网络服务...而不是一些随机的家伙打电话给 / json /
直接。
I only want http://example.com/index.html
to be able to call my http://example.com/json/
web service ... and not some random dude calling the /json/
directly.
Quesiton :我该如何防止直接c所有/访问我的 http://example.com/json/
网络服务?
Quesiton: how do I prevent direct calling/access to my http://example.com/json/
web service?
更新
为了更清晰, http://example.com/ index.html
调用 http://example.com/json/?zipcode=12345
...和JSON服务
- 返回半敏感数据,
- 返回一个JSON数组,
- 响应GET请求,
- 浏览器制作该请求已启用JavaScript
To give more clarity, http://example.com/index.html
call http://example.com/json/?zipcode=12345
... and the JSON service
- returns semi-sensitive data,
- returns a JSON array,
- responds to GET requests,
- the browser making the request has JavaScript enabled
同样,我不想发生的事情是人们只看我的 index.html
源代码,然后直接调用JSON服务。
Again, what I don't want to have happen is people simply look at my index.html
source code and then call the JSON service directly.
推荐答案
有几种很好的方法可以进行身份验证客户端。
There are a few good ways to authenticate clients.
- 按IP地址。在Apache中,使用Allow / Deny指令。
- 通过HTTP身份验证:基本或摘要。这很好并且标准化,并使用用户名/密码进行身份验证。
- 按Cookie。您必须提供cookie。
- 通过您发明的自定义HTTP标头。
- By IP address. In Apache, use the Allow / Deny directives.
- By HTTP auth: basic or digest. This is nice and standardized, and uses usernames/passwords to authenticate.
- By cookie. You'll have to come up with the cookie.
- By a custom HTTP header that you invent.
编辑:
我一开始并没有意识到客户端代码正在调用您的Web服务。如果您让客户端Javascript这样做,那么阻止人们直接调用您的Web服务实际上是不可能的。有人可以阅读源代码。
I didn't catch at first that your web service is being called by client-side code. It is literally NOT POSSIBLE to prevent people from calling your web service directly, if you let client-side Javascript do it. Someone could just read the source code.
这篇关于如何防止直接访问我的JSON服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!