宁静的API认证建议？ [英] Restful API authentication recommendation?

问题描述

我开发的第三方调用REST风格的几个API，这些API需要身份验证（apikey＆安培;秘为主）和授权（HTTP方法和放大器;基于URI）

I am developing several RESTful API for 3rd party to call, and these API need authentication (apikey & secret based), and authorization (HTTP method & URI based).

是否有任何现有的软件，我们可以重复使用prevent我从推出我们自己实施的安全层？

Are there any existing software we can reuse that prevent me from rolling out our own implementation for the security layer?

推荐答案

HTTP给你授予的支持，所以您不必推倒重来

HTTP gives you granted support for that, so you don't need to reinvent the wheel

无论是使用：

• HTTP基本验证（使用SSL绕过明文密码提交问题）


• HTTP验证摘要

验证摘要具有优点，它不以明文发送passowrd并处理重放攻击（与随机数）

Auth Digest has advantage, that it does not transmit the passowrd in cleartext and handles replay attacks (with nonces).

我们使用 HTTP验证文摘（Tomcat servlet容器有它直接支持），我们知足吧。

We use HTTP Auth Digest (Tomcat servlet container has direct support for it) and we are content with it.

编辑：一些客户与文摘（不能算小）的问题，所以这几天我会选择Basic和SSL。优势基础也是您可以在preemptive认证。（发送用户名：密码中的第一个请求）

Some clients have problems with Digest (not so trivial), so these days I would opt for Basic and SSL. Advantage for Basic is also that you can you preemptive authentication (sending user:pwd in first request).

这篇关于宁静的API认证建议？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！