限制对 RESTful 资源的访问 [英] Restrict access to RESTful Resources
问题描述
在为应用程序设计 REST API 时,一些服务应该是公开的,而其他服务则倾向于保持私有(即不可公开访问).服务应用程序使用 OAuth.
In designing a REST API for an application, some services are supposed to be public, while other services are preferred to be kept private (i.e not publicly accessible). OAuth is used by the service application.
需要考虑哪些措施?
一些想法:
- 在混淆后的 URI 下发布私有资源.
- 需要特殊的访问密钥.(仅供授权客户知晓).
推荐答案
任何需要保护并限制到特定受众群体的资源都需要有适当的访问控制(基本上就是你所说的在第 2 点).作为指南,请参考 Twitter 等成功服务的 API,您总会发现其中涉及令牌.
Any resources which need to be protected and constrained to a particular segment of your audience need to have the appropriate access controls in place (basically what you're talking about in point 2). As a guide, refer to APIs from successful services such as Twitter and you'll always find a token involved.
混淆是永远不可接受的 - 这只是通过默默无闻的安全,并且存在根本性缺陷.仔细阅读 OWASP Top 10 的部分内容,未能限制 URL 访问.相同的规则适用于任何资源,无论它们是 RESTful 还是其他方式.
Obfuscation is never acceptable - this is simply security through obscurity and is fundamentally flawed. Have a good read through part of the OWASP Top 10, failure to restrict URL access. The same rules apply to any resources whether they be RESTful or otherwise.
这篇关于限制对 RESTful 资源的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
