如何使用 SSL/TLS 和/或消息级安全保护 RESTful php web 服务 [英] How to secure a RESTful php web service with SSL/TLS and/or Message level security
问题描述
我有一个用 php 编写的 RESTful Web 服务,它使用 JSON 进行通信.一些传输的数据非常敏感(密码),我正在寻找一种方法来实现服务的合理安全级别.客户端是 Silverlight 4 应用程序.
I have a RESTful web service written in php that uses JSON for communication. Some of the data transmitted is really sensitive (passwords) and I am looking for a way to achieve a reasonable security level for the service. The client is a silverlight 4 application.
我一直在寻找有关如何实施 SSL/TLS(我假设客户端证书身份验证属于该类别?)和消息级别安全性的明确信息,但在一个 php+json 网络服务.我将非常感谢任何信息和实际示例.我知道这些原则,我只是对 php 不是很有经验.目前我采取的唯一安全措施是一个非常基本的身份验证令牌系统,它在成功登录后创建一个服务器端会话并为用户提供身份验证令牌以进行任何进一步的通信(直到会话过期或用户从不同的IP).我真的想至少保护敏感流量,例如密码.
I have been searching for clear information on how to implement SSL/TLS(I assume that client certificate authentication falls in that category?) and Message level security, but I cannot find good examples regarding the actual implementation of these security measures in a php+json web service. I would be very grateful for any information and practical examples. I am aware of the principles, I am just not very experienced with php. Currently the only security measure that I have in place is a very basic authentication token system, which upon successful login creates a server side session and supplies the user with an authentication token for any further communication(until the session expires or the user connects from a different IP). I really want to at least secure the sensitive traffic such as passwords.
最后,在实施 TLS 和消息层安全后,我必须注意哪些安全问题,例如漏洞和漏洞利用?
Finally, what are the security issues that I have to look out for after implementing TLS and maybe message layer security, as in vulnerabilities and exploits?
先谢谢你.
推荐答案
假设您使用 SSL/TLS 正确配置了 HTTPS,您主要关心的是如何为您的 RESTful 服务实现身份验证.由于 HTTPS 将使用 SSL/TLS 来加密客户端和服务器之间的通信,因此您无需担心加密.如果您需要了解如何正确配置 SSL/TLS,请阅读 了解 SSL/TLS
Assuming you have HTTPS properly configured using SSL/TLS your main concern is how to implement authentication for your RESTful service. Since HTTPS will use SSL/TLS to encrypt the communication between client and server encryption is not something you should worry about. If you need to understand how to properly configure SSL/TLS read Understanding SSL/TLS
保护 RESTful 服务的最佳实践已在 RESTful 身份验证 和 保护 REST API/Web 服务的最佳实践.
Best practices for securing RESTful service is already discussed in RESTful Authentication and Best Practices for securing a REST API / web service.
总结它讨论了 3 个选项
To summarize it discusses 3 options
- 基于 HTTPS 的 HTTP 基本身份验证
- Cookie 和会话管理
- 使用附加签名参数查询身份验证.
另一种选择是探索 OAuth2 进行身份验证.如果是这样,您可以在 OAuth 初学者指南第三部分:安全架构
Another option would be to explore OAuth2 for authentication. If so you can get a good understanding about Oauth2 in Beginner’s Guide to OAuth Part III : Security Architecture
这篇关于如何使用 SSL/TLS 和/或消息级安全保护 RESTful php web 服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
