如何保护的RESTful API [英] How to protect RESTful API
问题描述
我一直在寻找,以保护我的RESTful API中的一种方式。这似乎很简单,但它似乎不是那么简单。首先,我写的iOS应用程序连接到播放Framework服务器。这一切都不具有任何与谷歌,Facebook,Twitter或LinkedIn(令人震惊,我知道)。哦,我目前的计划并不需要自定义应用程序使用API的我,它只是我的应用程序暂且。
I have been looking for a way to protect my RESTful APIs. This appeared simple, but it seems to not be so simple. First off, I am writing an iOS app connecting to a Play Framework server. None of this has anything to do with Google, Facebook, Twitter, or LinkedIn (shocking I know). Oh, and my current plans do not require custom apps to use my APIs, its just my apps for the time being.
基本身份验证
什么似乎是简单的是一个基本的用户名/密码在/ AUTH方法管理的cookie会话。这可能得出一些呻吟声,认为它太简单或弱但大多是移动身份验证快速会话密钥。我的初始设置是每天到期的会话,但铅对iOS应用强迫每天登录证明是一个烦恼。
What appeared to be simple was a basic user/pass on a /auth method managing a cookie session. That may draw some groans as being too simple or weak but mostly it moved identity to a session key quickly verified. My initial setup was to expire the sessions every day, but that lead to the iOS app forcing a login daily proving to be an annoyance.
的OAuth
我张贴在iOS板的问题并朝向的OAuth收到钝方向。我的OAuth的研究始于但圣洁的sh * t是那么复杂和似乎没有被任何服务器端的例子...只是很多人抱怨这是多么令人沮丧。所有的客户端示例显示连接到谷歌,Facebook,Twitter和LinkedIn。哦喜悦!
I posted a question on an iOS board and received a blunt direction towards OAuth. My research of OAuth began but holy sh*t is that complicated and there does not seem to be any server side examples... just plenty of people complaining about how frustrating it is. All the client examples show connecting to Google, Facebook, Twitter, and LinkedIn. Oh Joy!
看叶兰Hammer的有关您好!OAuth1和咆哮的OAuth2后,似乎无果而终,继续和他的想法OZ(看上去很干净)仅在node.js中的早期阶段
After watching Eran Hammer's rant about OAuth1 and OAuth2, it seemed fruitless to continue and his OZ idea (which looks really clean) is only at the early stages in node.js.
问
所以,我给广大的StackOverflow社区的问题是...你做什么保护您的REST API的吗?
So, my question to the broad StackOverflow community is... what do you do for securing your REST APIs?
推荐答案
我建议考虑由最大的球员使用的方法,即亚马逊Web服务或Windows Azure的 - 的 HMAC 。虽然它不是在执行舒服,因为你可以看到它是值得信赖的技术。
I'd suggest to consider approach used by biggest players i.e. Amazon Web Services or Windows Azure - HMAC. Although it isn't comfortable in implementation, as you can see it's trusted technique.
的总体思路是登录iOS的请求的部分(即头)与密钥,并尝试重新计算上的播放应用程序来验证请求真实的和没有操作。如果不会失败,你可以(几乎)肯定的是,这是从别人,谁使用有效的密钥发送。
The general idea is to sign the request's parts (i.e. headers) in the iOS with secret key and try to recalculate it on the Play app to verify that request is authentic and not manipulated. If it won't fail, you can be (almost) sure, that was sent from somebody, who uses valid secret key.
看一看到 Windows的文件得到概念(我认为对于共同任务,你可以使用的元素用于签名的次数少)。
Take a look into Windows' document to get the concept (I think that for common task, you can use the less number of elements used for signing).
还有其他有趣的帖子(基于AWS身份验证),它描述整个过程,甚至更好。
There is also other interesting post (based on AWS authentication) which describes whole process even better.
修改
当然,你应该实现iOS设备上的认证和保护的API请求是不同的东西,即使你会过期每15分钟会话,你不能肯定的有人的不会的偷听的它,然后将能够发送来自外部的假请求。签约每次请求应尽量减少风险。
Of course you should realize that authentication in iOS and securing API requests are different things, even if you'll expire your session every 15 minutes, you can't be sure that somebody won't overhear it and then will be able to send a fake request from the outside. Signing every request should minimize the risk.
在另一方面,如果你prepare的明确的规则的签署的请求,会写简短的文档(我建议即使是你自己),你可以将它交付给对方开发商和他就可以实现它的(几乎)任何平台,支持SHA256,所以你将有API准备好从3 - 第三方应用程序使用 - 如果你决定将其发布在未来
On the other hand, if you'll prepare clear rules for signing the requests and will write short doc (which I recommend even for yourself), you can deliver it to the other developer and he'll be able to implement it in (almost) any platform supporting SHA256, so you will have API ready for using from 3-rd party apps - if you'll decide to publish it in the future.
这篇关于如何保护的RESTful API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
