安全地将凭证提供给RESTFUL API [英] Supplying credentials safely to a RESTFUL API

问题描述

我已经创建了一个RESTful服务器应用程序，该应用程序可以使用有用的网址(例如www.site.com/get/someinfo)来处理请求并为其提供服务.它是在Spring中构建的.

I've created a RESTful server app that sits and services requests at useful URLs such as www.site.com/get/someinfo. It's built in Spring.

但是，这些访问受密码保护.我现在正在构建一个客户端应用程序，该应用程序将连接到该RESTful应用程序并通过URL请求数据.如何传递凭证?当前，它只是向用户弹出用户/密码框，但是我希望用户能够在客户端应用程序的框中输入用户名和密码，并让客户端应用程序在RESTful应用程序提供凭据.它请求数据.客户端是使用Struts构建的.

However, these accesses are password protected. I'm now building a client app that will connect to this RESTful app and request data via a URL. How can I pass the credentials across? Currently, it just pops up the user/password box to the user, but I want the user to be able to type the username and password into a box on the client app, and have the client app give the credentials to the RESTful app when it requests data. The client is built using Struts.

欢呼

编辑-我认为我没有把问题弄清楚.我已经在强制使用HTTPS，我的问题是更多的代码内问题，当我从www.site.com/get/someinfo请求数据时，如何在发出请求的同时传递我的凭据?

EDIT - I don't think I made the question clear enough. I'm already forcing HTTPS, my question is more, in-code, when I'm requesting data from www.site.com/get/someinfo, how do I pass my credentials alongside making the request?

推荐答案

您或多或少有3个选择:

You more or less have 3 choices:

1. HTTP身份验证
2. 滚动您自己的协议，理想情况下 HMAC 基于质询/响应
3. OAuth

1. HTTP Auth
2. Roll your own protocol, ideally HMAC challenge/response based
3. OAuth

OAuth当前容易受到网络钓鱼攻击的影响，这种攻击在很大程度上是目标无法检测到的.因此，我不建议您修改协议.

OAuth is currently susceptible to a variation of a phishing attack, one that is largely undetectable to the target. As such I wouldn't recommend it until the protocol is modified.

OAuth还应该为设计安全协议的难度提供一个教训，因此，我不愿推荐自己的路线.

OAuth should also be a lesson about how difficult it is to design secure protocols, and so I'm hesitant to reccomend the roll your own route.

这将保留HTTP身份验证，如果您可以使用它，那将是最好的选择.

That leaves HTTP auth, which is likely best if you can use it.

话虽如此，互联网上几乎所有内容都使用基于表单的身份验证，而且许多人甚至不担心https来保证传输级别的安全性，因此简单地以明文形式发送密码文本对于您的目的足够好".甚至我仍然鼓励使用https，因为这至少可以减少对中级攻击者的威胁.

All that said, almost everything on the internet uses form based authentication, and many don't even bother with https for transport level security, so perhaps simply sending the password text in the clear is "good enough" for your purposes. Even still I'd encourage using https, as that at least reduces the dangers to a man in the middle attack.

这篇关于安全地将凭证提供给RESTFUL API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！