网页API安全 [英] Web API Security
问题描述
我要求写一个应用程序的Web API(PC可执行文件,没有网络的应用),将允许发送电子邮件。结果
用户点击的东西,应用程序与生成的电子邮件,发送出去的API进行通信。
I'm asked to write a Web API for an application (pc executable, not web-app) that will allow sending emails.
A user clicks something, the app communicates with the API which generates an email and sends it out.
我要确保没有人非法将有机会获得的API,所以我需要做一些种类的认证,我没有得到一个想法如何正确地做到这一点。
I have to make sure noone unauthorised will have access to the API, so I need to make some kind of authentication and I haven't got an idea how to do it correctly.
将会有更多的应用程序访问的API。
There will be more applications accessing the API.
首先想到的是 - 发送用户名和密码,但是这并不能真正解决问题。因为如果有人反编译的应用,他们将不得不请求的URL和变量,包括用户名/密码,或者简单地将它正好可以闻。
First thought was - send username and password, but this doesn't solve the problem really. Because if someone decompiles the application, they'll have the request url and variables including user/password or simply it can just be sniffed.
所以...什么可以怎么做?
so... what options do I have?
我相当肯定安全连接(SSL)是不提供给我的那一刻,不过,这不会帮助我对反编译的问题,会吗?
I'm fairly sure secure connection (SSL) is not available to me at the moment, but still, this won't help me against the decompiling problem, will it?
修改
我没有说,最初,但用户不会被要求输入用户名/密码即可。它的应用程序(S),将有进行认证,而不是应用(多个)用户。
I haven't said that initially, but the user will not be asked for the username/password. It's the application(s) that will have to be authenticated, not users of the application(s).
推荐答案
我会建议您检查出的OAuth。它一定要帮助你在授权工具来访问您的API整理出了安全问题。
I would recommend you check out OAuth. it should definitely help you out in sorting out the security issues with authorizing tools to access your API.
这篇关于网页API安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!