无需用户身份验证移动应用程序即可保护私有REST API的最佳方法 [英] Best way to secure Private REST API without user authentication for mobile app
问题描述
我正在为我的移动应用程序制作一些Restful API.
I am making some Restful APIs for my mobile application.
APP和Web服务器之间的通信必须在REST中进行.这些api应该是私有的,只有我的应用才能调用它们以获得成功的结果.
The communication between APP and webserver has to be made in REST. These apis should be private , and only my app should able to call them for successful results.
困难之处在于,我的应用程序中不需要用户ID和密码,因此我不知道在没有基本用户身份验证的情况下如何限制移动应用程序中的其余API.
The tough part is, there is no user id and password required in my app so i do not know how could i restrict rest API with the mobile app without basic user authentication.
我认为一个解决方案是嵌入某种硬编码字符串,以便当移动应用程序使用静态URL时,它们将以加密格式通过ssl传递该URL.但是我知道这似乎是非常糟糕的解决方案.
One solution i thought was to embed some kind of hardcode string so when mobile app will use the restful url they will pass that in encryption format over ssl. But i know this seems like very bad solution..
请提出在这种情况下最好的解决方案.
kindly suggest what should be the best solution under such situation.
推荐答案
看看基于哈希的消息认证代码(HMAC)机制.
Take a look to the Hash-based message authentication code (HMAC) mechanism.
Wikipedia链接: http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
Wikipedia link: http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
您的客户端(移动应用程序)将需要一个公共 API密钥(用于标识REST Web服务客户端)和一个私有/加密密钥.可以将公共API密钥与HTTP请求一起发送.它是公开的,每个人都可以看到.但是,私钥绝不能与请求一起发送,而只能由服务器和客户端知道.该密钥用于生成哈希消息,该哈希消息将被发送到服务器. HMAC可以使用SHA1/MD5算法生成,该消息应该由服务器和客户端都知道的算法生成,最后由私钥生成.
Your client (mobile app) will need a public API key that identifies the REST webservice client and a private / cryptographic key. The public API key can be send along with the HTTP request. It is public and everyone can see it. The private key, however should never be sent along with the request, and should only be known by the server and client. This key is used to generate the hashed message that instead will be sent to the server. The HMAC can be generated using a SHA1 / MD5 algorithm, a message that should be generated by an algorithm that both server and client know and, finally, the private key.
这篇关于无需用户身份验证移动应用程序即可保护私有REST API的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
