保护REST API不重新发明轮子 [英] Securing REST API without reinventing the wheel
问题描述
在设计REST API是它通常是先验证用户?
When designing REST API is it common to authenticate a user first?
我要寻找的典型使用情况是:
The typical use case I am looking for is:
- 用户希望得到的数据。当然很酷,我们喜欢分享!找一个公共的API密钥,并宣读了!
- 用户想要存储/更新数据...哇等待了!你是谁,你可以做到这一点?
我想一旦建立它,让说web应用程序,Android应用程序或一个iPhone应用程序来使用它。
I would like to build it once and allow say a web-app, an android application or an iPhone application to use it.
一个REST API似乎与这样的要求是合理的选择。
A REST API appears to be a logical choice with requirements like this
要说明我的问题,我会用一个简单的例子。
To illustrate my question I'll use a simple example.
我在一个数据库中的项目,其中有一个评级属性(整数1〜5)。
I have an item in a database, which has a rating attribute (integer 1 to 5).
如果我理解正确的REST我会实现我的使用选择返回CSV,XML或JSON像这样的语言GET请求:
If I understand REST correctly I would implement a GET request using the language of my choice that returns csv, xml or json like this:
http://example.com/product/getrating/{id}/
假设我们选择JSON我们返回:
Say we pick JSON we return:
{
"id": "1",
"name": "widget1",
"attributes": { "rating": {"type":"int", "value":4} }
}
这是罚款,公众面临的API。我得到的那部分。
This is fine for public facing APIs. I get that part.
在那里我有吨问题是我怎么用安全模式结合起来呢?我已经习惯了web应用程序的安全性在那里我有我的标识用户在任何时间,会话状态,所以我可以控制他们可以做什么,不管什么,他们决定送我。据我所知,这不是RESTful的,因此我们将在这种情况下,一个坏的解决方案。
Where I have tons of question is how do I combine this with a security model? I'm used to web-app security where I have a session state identifying my user at all time so I can control what they can do no matter what they decide to send me. As I understand it this isn't RESTful so would be a bad solution in this case.
我会尝试使用相同/项目使用另一个例子。
I'll try to use another example using the same item/rating.
如果用户JOE想一个评级添加到项目
If user "JOE" wants to add a rating to an item
这可以用做:
http://example.com/product/addrating/{id}/{givenRating}/
在这一点上,我想存储的数据说,乔给产品{ID} {} givenRating的评级。
At this point I want to store the data saying that "JOE" gave product {id} a rating of {givenRating}.
问:我怎么知道请求从乔出来,而不是BOB
Question: How do I know the request came from "JOE" and not "BOB".
此外,如果它是像一个用户的电话号码更合理的数据?
Furthermore, what if it was for more sensible data like a user's phone number?
我有这么远的是:
1)使用内置的HTTP的功能,在每个请求进行身份验证,无论是普通的HTTP或HTTPS。
1) Use the built-in feature of HTTP to authenticate at every request, either plain HTTP or HTTPS.
这意味着,每一个要求现在就采取的形式:
This means that every request now take the form of:
https://joe:joepassword@example.com/product/addrating/{id}/{givenRating}/
2)使用类似Amazon的S3与私营和公共密钥的方法:<一href=\"http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/\">http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
3)仍要使用的cookie,打破REST的无状态的一部分。
3) Use a cookie anyway and break the stateless part of REST.
第二种方法似乎更好的给我,但我在想,我真的要重新发明这件事?哈希,储存,由我自己生成的钥匙,等一切?
The second approach appears better to me, but I am left wondering do I really have to re-invent this whole thing? Hashing, storing, generating the keys, etc all by myself?
这听起来像一个典型的Web应用程序使用会话和改写整个堆栈自己,通常我的意思是:你就错了,尤其是与安全问题时有很多。
This sounds a lot like using session in a typical web application and rewriting the entire stack yourself, which usually to me mean "You're doing it wrong" especially when dealing with security.
编辑:我想我应该提到的OAuth以及
I guess I should have mentioned OAuth as well.
推荐答案
没有,绝对没有必要使用Cookie。这不是一半,安全的,因为HTTP摘要,OAuth的或Amazon的AWS(这是不是很难复制)。
No, there is absolutely no need to use a cookie. It's not half as secure as HTTP Digest, OAuth or Amazon's AWS (which is not hard to copy).
你应该看看一个cookie的方式是,它是一个认证令牌高达基本/摘要/ OAuth的/为准将,但不恰当的。
The way you should look at a cookie is that it's an authentication token as much as Basic/Digest/OAuth/whichever would be, but less appropriate.
不过,我不觉得使用Cookie违背REST风格原则的本身的,只要会话cookie的内容不会影响你从返回资源的内容服务器。
However, I don't feel using a cookie goes against RESTful principles per se, as long as the contents of the session cookie does not influence the contents of the resource you're returning from the server.
Cookies是邪恶的,停止使用。
Cookies are evil, stop using them.
这篇关于保护REST API不重新发明轮子的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
