REST Web 服务中的 GET 与 POST [英] GET vs POST in REST Web Service
问题描述
我正在开发 REST 服务,该服务允许用户根据发票上显示的几条信息(发票编号和帐单邮编)声明其列表.
I'm in the process of developing a REST service that allows a user to claim their listing based on a couple of pieces of information that appear on their invoice (invoice number and billing zip).
我已经阅读了无数关于何时使用 GET 以及何时使用 POST 的文章和 Stack Overflow 问题.总的来说,普遍的共识是 GET 应该用于幂等操作,而 POST 应该用于在服务器端创建某些内容的操作.然而,这篇文章:
I've read countless articles and Stack Overflow questions about when to use GET and when to use POST. Overall, the common consensus is that GET should be used for idempotent operations and POST should be used for operations that create something on the server side. However, this article:
http://blog.teamtreehouse.com/the-获取与发布的权威指南
让我对在这个特定场景中使用 GET 产生疑问,仅仅是因为我使用这 2 条信息作为验证用户身份的机制.我没有使用此特定方法调用更新服务器上的任何内容,但我也不一定要公开 URL 中的信息.
has caused me to question using GET for this particular scenario, simply because of the fact that I'm using these 2 pieces of information as a mechanism to validate the identity of the user. I'm not updating anything on the server using this particular method call, but I also don't necessarily want to expose the information in the URL.
这是一个内部网络服务,只有调用该服务的前端是公开的,所以我不必担心用户浏览器历史记录中显示的 URL.我唯一担心的是有人获得服务器日志访问权限的可能性不大,在这种情况下,我会遇到更大的问题.
This is an internal web service and only the front-end that calls the service is publicly exposed, so I don't have to worry about the URL showing up in a user's browser history. My only concern would be the unlikely event that someone gain server log access, in which case, I'd have bigger problems.
出于安全原因,我倾向于 POST;但是,由于请求是幂等的,因此 GET 感觉是正确的方法.在这种情况下推荐的方法是什么?
I'm leaning toward POST for security reasons; however, GET feels like the correct method due to the fact that the request is idempotent. What is the recommended method in this case?
推荐答案
独立于 POST 与 GET,我建议不要将您的安全性视为像邮政编码和发票号码这样简单的东西.我敢打赌,发票编号是连续的(或接近的),而且周围没有那么多邮政编码 - 瞧,我可以完全访问您的列表.
Independently of POST vs GET, I would recommend NOT basing your security as something as simple as a zip code and an invoice number. I would bet on the fact that invoice numbers are sequential (or close), and there aren't that many zip codes around - voila, I got full access to your listings.
如果您使用另一种身份验证方法(通常在 HTTP 标头中),那么您很好 - 如果 URL 有发票编号并不重要,因此不妨使用 GET.
If you're using another authentication method (typically in HTTP header), then you're good - it doesn't matter if you have an invoice number if the URL, so might as well use GET.
如果你不是,那么我想 POST 在暴露机密内容方面不如 GET.
If you're not, then I guess POST isn't as bad as GET in term of exposing confidential content.
这篇关于REST Web 服务中的 GET 与 POST的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
