安全 Web 服务:基于 HTTPS 的 REST 与 SOAP + WS-Security.哪个更好? [英] Secure Web Services: REST over HTTPS vs SOAP + WS-Security. Which is better?
问题描述
我无论如何都不是安全专家,但我喜欢创建 REST 风格的 Web 服务.
I'm not a security expert by any means, but I favor creating REST-style web services.
在创建需要安全传输数据的新服务时.我们就哪种方法更安全展开了辩论 - REST with HTTPS 或 SOAP WS with WS-Security.
In creating a new service which needs to have the data it transmits secure. We've entered a debate over which approach is more secure - REST with HTTPS or a SOAP WS with WS-Security.
我的印象是我们可以对所有 Web 服务调用使用 HTTPS,而且这种方法是安全的.我的看法是,如果 HTTPS 对银行和金融网站来说足够好,那么对我来说也足够了".再说一次,我不是这个领域的专家,但我认为这些人已经认真考虑过这个问题并且对 HTTPS 很满意.
I am under the impression we could use HTTPS for all the web service calls and this approach would be secure. The way I look at it is, "if HTTPS is good enough for bank and financial web sites, it's good enough for me". Again, I'm not expert in this space, but I'd think that these people have thought considerably hard about this problem and are comfortable with HTTPS.
一位同事不同意并说 SOAP 和 WS-Security 是唯一的出路.
A coworker disagrees and says SOAP and WS-Security is the only way to go.
网络似乎在这方面无处不在.
The web seems all over the board on this.
也许这里的社区可以权衡每个人的利弊?谢谢!
Maybe the community here could weigh in on the pros and cons of each? Thanks!
推荐答案
HTTPS 确保消息在网络上的传输安全,并向客户端提供有关服务器身份的一些保证.这对您的银行或在线股票经纪人很重要.他们对验证客户端的兴趣不在于计算机的身份,而在于您的身份.因此,卡号、用户名、密码等用于验证您的身份.然后通常会采取一些预防措施来确保提交的内容没有被篡改,但总的来说,会话中发生的任何事情都被视为是您发起的.
HTTPS secures the transmission of the message over the network and provides some assurance to the client about the identity of the server. This is what's important to your bank or online stock broker. Their interest in authenticating the client is not in the identity of the computer, but in your identity. So card numbers, user names, passwords etc. are used to authenticate you. Some precautions are then usually taken to ensure that submissions haven't been tampered with, but on the whole whatever happens over in the session is regarded as having been initiated by you.
WS-Security 提供从消息创建到消息消费的机密性和完整性保护.因此,不是确保通信内容只能由正确的服务器读取,而是确保它只能由服务器上的正确进程读取.不要假设安全发起的会话中的所有通信都来自经过身份验证的用户,每个通信都必须进行签名.
WS-Security offers confidentiality and integrity protection from the creation of the message to it's consumption. So instead of ensuring that the content of the communications can only be read by the right server it ensures that it can only be read by the right process on the server. Instead of assuming that all the communications in the securely initiated session are from the authenticated user each one has to be signed.
这里有一个涉及裸体摩托车手的有趣解释:
There's an amusing explanation involving naked motorcyclists here:
因此 WS-Security 提供比 HTTPS 更多的保护,并且 SOAP 提供比 REST 更丰富的 API.我的观点是,除非您确实需要附加功能或保护,否则您应该跳过 SOAP 和 WS-Security 的开销.我知道这有点逃避,但决定多少保护实际上是合理的(不仅仅是构建什么很酷)需要由那些非常了解问题的人做出.
So WS-Security offers more protection than HTTPS would, and SOAP offers a richer API than REST. My opinion is that unless you really need the additional features or protection you should skip the overhead of SOAP and WS-Security. I know it's a bit of a cop-out but the decisions about how much protection is actually justified (not just what would be cool to build) need to be made by those who know the problem intimately.
这篇关于安全 Web 服务:基于 HTTPS 的 REST 与 SOAP + WS-Security.哪个更好?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
