保护 REST API [英] Securing a REST API
问题描述
我正在开发一个 PHP 社交媒体 Web 应用程序,该应用程序将得到各种运行 REST API 的 Web 服务的支持.Web 服务可能会在带有 MySQL 数据层的 Java 中实现,但我试图做的重点是根据适当的情况,使在不同语言/数据存储中实现模块变得非常容易.
I am in the middle of developing a PHP social media web application which will be supported by various web services each operating a REST API. Web services will probably be implemented in Java with MySQL data layer but the whole point of what I am trying to do is make it really easy to implement modules in different languages/data stores depending on what is approriate.
例如,当用户通过登录表单登录应用程序时,PHP 代码会连接到 Web 服务并 POST 用户名和密码以检查是否应该对其进行身份验证.我通常会在此时启动一个会话并将其存储在会话数据存储中.
So for example when the user logs into the application via a login form the PHP code connects to a web service and POSTs the username and password to check if they should be authenticated. I would normally at this point start a session and store it in a session data store.
另一个示例可能是用户向另一个用户发送私人消息.消息将被发布到私人消息网络服务,该服务将负责所有存储.同样,可以联系 Web 服务以检索用户的消息.
Another example could be if a user sends a private message to another user. The message would be POSTed to the private messaging web service which would take care of all the storage. Similarly the web service could be contacted to retrieve messages for a user.
虽然我了解如何在 Java 中实现 REST Web 服务并在 PHP 中建立与它的连接,但我完全不确定如何保护正在传递的数据并确保它是返回的用户数据.例如,如果我想获取所有用户作为私人消息,Web 服务如何知道返回该用户.我可以将该用户标识符作为 GET url 的一部分传递,但肯定任何老用户都可以找出 GET url 并使用它来查找其他人的消息.我想也许我可以传递会话标识符和 IP 地址,这将允许我检查会话数据存储并确保它是正确的用户?
Although I understand how to implement the REST web service in Java and make the connection to it in PHP I am totally unsure as to how to secure the data being passed and make sure that it is the users data being returned. If for example I want to get all of user As private messages how does the web service know to return that users. I could pass that users identifier as part of the GET url but then surely any old user could just figure out the GET url and use it to look up other peoples messages. I thought maybe I could pass over the session identifier and IP address which would allow me to check the session data store and make sure it is the correct user?
为了保护重要的数据——比如用户名/密码,我以为我会通过 SSL 传递它.
To secure the data that is important - like the username/password I thought I would just pass it over SSL.
希望这能更好地解释我的问题.
Hope this explains my problem better.
谢谢
推荐答案
看看 HTTP Digest 身份验证.大多数客户端应该支持它,这意味着身份验证详细信息可以作为标头的一部分与每个请求一起安全地传递,而不会干扰请求本身的有效负载.
Take a look at HTTP Digest authentication. Most clients should support it, and it means the auth details can be passed securely with each request as part of the headers without interfering with the payload of the request itself.
这篇关于保护 REST API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
