如何保护使用 Springs 的 REST Api 创建的 RESTful Web 服务? [英] How to secure the RESTful webservices created using Springs's REST Api?

问题描述

我们有一个使用 Spring MVC 3.0 创建的 Spring Web 应用程序 在同一个应用程序中，我们使用 Springs 的 REST API 创建了 RESTful Web 服务.

We have a Spring web application created using Spring MVC 3.0 In the same application, we have created RESTful web services using Springs's REST API.

现在我们需要保护这些网络服务.我们如何在春天做到这一点?我们可以为此使用spring security吗?如果不是，还有什么其他选择?

Now we need to secure those web services. How do we do this in spring? Can we use spring security for this? If not what are the other options?

谢谢.

推荐答案

这实际上取决于您想要施加的安全级别.您可以使用简单的基于 web.xml 的访问控制与领域、用户名和密码.

It really depends on the level of security you want to impose. You could just use simple web.xml based access control with realms, usernames and passwords.

您的网络服务的安全性是另一回事.来自 Spring 安全常见问题解答:

Security of your webservices is another matter. From the Spring Security FAQ:

Web 应用程序容易受到您应该熟悉的各种攻击，最好在您开始开发之前，这样您就可以从一开始就考虑到这些攻击.查看 OWASP 网站，了解有关 Web 应用程序开发人员面临的主要问题以及您可以使用的对策的信息

Web applications are vulnerable to all kinds of attacks which you should be familiar with, preferably before you start development so you can design and code with them in mind from the beginning. Check out the OWASP web site for information on the major issues facing web application developers and the countermeasures you can use against them.

Spring Security 当然是一个选择.大多数情况下，它很容易(现在)与 Spring 集成，并且具有灵活的身份验证模块.

Spring Security is certainly an option. It is for the most part, easy (nowadays) to integrate with Spring and has a flexible authentication module.

您还应该考虑 Apache Shiro.已经回答了与 Spring Security 问题的比较 - Shiro vs. SpringSecurity 和 Shiro 也与 Spring 很好地集成.

You should also consider Apache Shiro. A comparison to Spring Security question has already been answered - Shiro vs. SpringSecurity and Shiro also integrates nicely with Spring.

关于这个主题还有一些其他问题已经得到回答 - 如何使用 spring3 保护服务 REST? 和 寻找一个简单的 Spring安全示例

There are also some other questions already answered on this topic - How to secure a service REST with spring3? and Looking for a Simple Spring security example

我认为当前形式的问题没有明确的答案，但我希望这对您有所帮助.

I do not think there is a definitive answer to the question in it's current form, but I hope this helps all the same.

这篇关于如何保护使用 Springs 的 REST Api 创建的 RESTful Web 服务?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！