确保一个REST API和框架修身 [英] Securing a REST API and Slim Framework

问题描述

我是相当新休息的API，我意识到，已经有相当贴几个问题。然而，细读这些实际上已经给我留下了如何处理这个更糊涂了。

I am fairly new to REST APIs, and I realize there are quite a few questions already posted. However, perusing these has actually left me more confused on how to handle this.

我已经用一个这我简单地使用传输数据修身框架。我不会使用用户登录或认证，所以我相信，以确​​保这一我只需要在使用公钥和私钥的系统，但我只是不知道。

I have created a REST API using Slim Framework which I am simply using to transfer data. I won't be using user logins or authentication, so I believe to secure this I just need a system that using a public key and a private key, but I am just not sure.

如果任何人有正确的/最安全的方式做到这一点，或任何教程/资源，这将是很大的启示。任何帮助是AP preciated。

If anyone has insight on the correct / most secure way to do this, or any tutorials / resources that would be great. Any help is appreciated.

推荐答案

您可以使用SSL传输中的数据进行加密。

You can use SSL to encrypt data in transit.

但SSL仅仅是加密;服务器端SSL不做客户端，也没有授权认证。你能想到的授权为回答这个问题的是允许做什么，他是问？来电的。 验证建立呼叫者的身份或认证通常是做授权的必要的第一步。有时候，你并不需要全标识 - 你只需要确定一个特定的方面。例如，一个自动门卫生间就不需要知道的谁的你，但只有当你以确定身份的男性或女性。以同样的方式，某些服务不关心你是谁;他们将允许访问，如果你是从一个特定的网络（IP白名单）打电话，或者如果您随身携带一个特殊的记号。

But SSL is just encryption; server-side ssl does not do authentication of the client, nor authorization. You can think of authorization as answering the question is the caller allowed to do what he is asking?. Authentication establishing the identity of the caller or Authentication is usually a necessary first step for doing authorization. Sometimes you don't need "the whole identity" - you just need to ascertain a particular aspect. For example, an automated washroom gate would not need to know who you were, but only if you were male or female in order to ascertain identity. In the same way, some services don't care who you are; they will allow access if you are calling from a particular network (ip whitelist) or if you carry a special token.

要允许服务器授权和未授权的呼叫进行区分，你有一些选择：

To allow the server to distinguish between authorized and unauthorized calls you have some options:

• IP白名单。如果您知道应用程序或代理人将打电话给你的服务的IP地址，您可以指定你的服务实现。该服务可以检查传入的请求的IP，并拒绝那些不在白名单中。这有点根据主叫方的地址为隐性的授权。

• IP whitelist. If you know the IP address of the app or agent which will call your service, you can specify that in your service implementation. The service can check the IP of incoming requests and reject those that are not on the whitelist. This is sort of "implicit" authorization based on the caller's address.

一个秘密令牌，该应用程序在每次通话提供。你说你不想做认证，但这种认证是一种形式。你可以把它叫做承载标记。任何人谁承担此令牌获得授权。在你的服务器你会检查令牌的价值，并拒绝不符合已知值的所有呼叫。这很像知识产权白名单除了令牌被明确过去了，还没有任何有关的网络地址。

a secret token, that the app provides in each call. You said you didn't want to do authentication, but this is a form of authentication. You might call it a "bearer token". Anyone who bears this token gets authorization. In your server you'd check the value of the token and reject any calls that don't match the well-known value. This works much like the IP whitelist except the token is explicitly passed, and does not have any relation to the network address.

令牌+密钥对。这就像一个用户名/密码，但它可以用于认证该应用程序。使用此提供应用程序本身的身份。如上述检查在服务端。

a token + key pair. This is like a username / password, but it can be used to authenticate the app. Use this to provide the identity of the app itself. Check on the service side as above.

一个用户名/密码。验证应用程序的用户。

a username / password. To authenticate the user of the app.

您可能需要组合这些生产需要的解决方案。换句话说，客户端请求需要从I地址的权利，并需要具有用于该应用令牌/关键，并且为了用户名/密码的用户，也可以认为是授权的。

You may want to combine these to produce the solution you want. In other words, the client request needs to be from the right I address, and needs to have a token/key for the app, and a username/password for the user, in order to be considered "authorized".

这篇关于确保一个REST API和框架修身的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！