无需用户身份验证即可保护移动应用程序私有 REST API 的最佳方法 [英] Best way to secure Private REST API without user authentication for mobile app
问题描述
我正在为我的移动应用程序制作一些 Restful API.
I am making some Restful APIs for my mobile application.
APP 和 webserver 之间的通信必须在 REST 中进行.这些 apis 应该是私有的,只有我的应用程序才能调用它们以获得成功的结果.
The communication between APP and webserver has to be made in REST. These apis should be private , and only my app should able to call them for successful results.
困难的部分是,我的应用程序中不需要用户 ID 和密码,所以我不知道如何在没有基本用户身份验证的情况下使用移动应用程序限制 rest API.
The tough part is, there is no user id and password required in my app so i do not know how could i restrict rest API with the mobile app without basic user authentication.
我认为的一个解决方案是嵌入某种硬编码字符串,这样当移动应用程序将使用 restful url 时,他们将通过 ssl 以加密格式传递它.但我知道这似乎是非常糟糕的解决方案..
One solution i thought was to embed some kind of hardcode string so when mobile app will use the restful url they will pass that in encryption format over ssl. But i know this seems like very bad solution..
请提出在这种情况下最好的解决方案.
kindly suggest what should be the best solution under such situation.
推荐答案
查看基于哈希的消息验证代码 (HMAC) 机制.
Take a look to the Hash-based message authentication code (HMAC) mechanism.
维基百科链接:http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
您的客户端(移动应用)将需要一个用于标识 REST 网络服务客户端的公共 API 密钥和一个私有/加密密钥.公共 API 密钥可以与 HTTP 请求一起发送.它是公开的,每个人都可以看到.然而,私钥不应该与请求一起发送,并且应该只被服务器和客户端知道.此密钥用于生成散列消息,该消息将发送到服务器.HMAC 可以使用 SHA1/MD5 算法生成,该消息应该由服务器和客户端都知道的算法生成,最后是私钥.
Your client (mobile app) will need a public API key that identifies the REST webservice client and a private / cryptographic key. The public API key can be send along with the HTTP request. It is public and everyone can see it. The private key, however should never be sent along with the request, and should only be known by the server and client. This key is used to generate the hashed message that instead will be sent to the server. The HMAC can be generated using a SHA1 / MD5 algorithm, a message that should be generated by an algorithm that both server and client know and, finally, the private key.
这篇关于无需用户身份验证即可保护移动应用程序私有 REST API 的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
