对REST面向公众认证机制 [英] Public facing Authentication mechanisms for REST

问题描述

我设计一个新的服务，这将使客户登记，并支付他们执行特定的搜索每次使用的费用类型。该服务将使用一个RESTful和SOAP接口暴露出来。通常情况下，Web服务将与客户的网站整合，然后暴露在公众，任何人都将能够使用客户的网站，并利用我的网络服务功能的优势（其中客户将支付，但有缓和的完全控制该请求，以便它们不会收取太多）。

I am designing a new service that would enable 'customers' to register and pay a per-use type fee for particular searches they perform. This service would be exposed using a RESTFul and SOAP interface. Typically the web service would integrate with the customer's website and then be exposed to the 'public' where anyone would be able to use the customer's website and take advantage of my web service features (which the customer would pay for but have full control of moderating the requests so they don't get charged too much).

我想设计用于优化集成服务，使其尽可能地简单。 Web服务API将改变，因此建立一个内部代理公开Web服务于大众在某些情况下是太多客户诽谤者的。所以这个问题，因为我看到它是创造平衡认证，安全和集成的Web服务。

I want to design the service that optimises the integration to make it as simple as possible. The web service API will change so creating an internal proxy to expose the web service to the public in some cases is too much of a detractor for customers. So the issue as I see it is creating a web service that balances authentication, security and integration.

理想

1. 不使用OAuth


2. 避免迫使客户创造其中内部代理重新公开相同的Web服务API我已经。


3. 是安全的（令牌的用户名/密码不管和SSL）


4. 嵌入客户网站的JavaScript库 - 这将是一个客户端Javascript库进行整合的步骤更容易。


5. JavaScript库将需要足够的安全，使公众将无法简单地抢凭据并重新目的，它本身


6. 不太哈克，如果可能的话，这样的Web服务不必被重新建如果火狐87出来（在尽可能多分钟内释放），并决定FUBAR它

似乎需要的还挺3路一些认证过程，这个工作，即验证特定的客户端（公共），Web服务（客户）和Web服务。

It seems that some kinda of 3-way authentication process is needed for this to work, i.e. authenticates a particular client (in the public), the web service (the customer) and the web service.

有没有人实现的东西样的相似，他们是怎么解决的情况也是这样吗？

Has anyone implemented something kind of similar and how did they tackle a situation like this?

我也明白之间存在什么可以做一个平衡，你会违反跨域安全性，因此可能是整个Web服务可能由另一个被曝光只得到这将返回JSONP数据接口。

I also understand there is a balance between what can be done, and what would violate cross-domain security, so perhaps the entire web service might be exposed by another GET only interface which would return JSONP data.

/ ** 附录 ** /

/** Addendum **/

因为我已经发现了一个Web服务，做什么我期待了。不过，我没有信心我理解的实施细节完全。所以，也许有人也会阐述我的想法。

I have since discovered a web service that does what I'm looking after. However, I am not confident I understand the implementation details entirely. So perhaps someone could also elaborate on my thinking.

我发现该网站的服务似乎主办的Javascript在服务端。那么客户将被包括在的Javascript脚本标记结合他们对服务端的网站，而是提供了一个关键的这样做即。

The web service I discovered seems to host the Javascript on the service side. The customer would then integrate their website with the service side by including the Javascript in a script tag, but supplies a key to do so i.e.

不知怎的，如果我的脚本添加到我的网站这是行不通的。所以某处沿线令牌必须注册到一个特定的客户领域，和客户lib.js实际上是一个servlet或类似的东西，可以以某种方式检测从'公'进来的用户实际上源于'客户'域。

Somehow if I add the script to my website it doesn't work. So somewhere along the line the token must be registered to a particular customer domain, and the 'client-lib.js' is actually a servlet or something similar which can somehow detect that the user from the 'public' coming in has actually originated from the 'customer' domain.

是我的想法对吗？是否有某种HTTP标头可以采用这种方式呢？那是安全的吗？

Is my thinking right? Is there some kind of http header that can be used this way? Is that safe?

干杯

推荐答案

首先 - 让我为你提供一个链接到<一个href=\"http://stackoverflow.com/questions/13186455/authentication-in-restful-web-services/13187135\">another SO质疑我昨天回答了 - 因为它提供了一个pretty广泛的回答类似的问题集

First of all - let me provide you a link to another SO question which I answered yesterday - as it gives a pretty extensive answer to a similar question-set.

我假设你要的所有者收取的网站的从搜索制成，而顾不了那么多谁个人的用户的是谁使搜索。如果这是不正确，请澄清，我会相应地更新我的答案。

I am assuming that you are going to charge the owner of the site from which the search is made, and not care so much who the individual user is who makes the search. If that's incorrect, please clarify and I will update my answer accordingly.

显然，在此情况下，你需要做的首要的事情是要确保你知道这是对每个请求的客户端。和 - 如你所说，你也想确保你保护自己免受跨站点攻击，并窃取人民的用户的密钥

Clearly, in any such case, the first and foremost thing you need to do is to make sure you know which client this is on each request. And - as you said, you also want to make sure you're protecting yourself from cross-site attacks and people stealing your user's keys.

什么你可能会考虑将以下内容：

What you might consider would be the following:

1. 创建一个私钥的在你身边 - 这只是你的服务知道


2. 每当一个新的消费站点您创建帐户，创建一个新的共享密钥的，只有你和他们就知道了。我建议通过创建这个密钥对的私钥的作为密码，和加密某种标识符，这将让你找出这个特定的用户。


3. 当你注册过程的一部分，使消费者网站告诉你URI他们将使用你的脚本。

1. Create a private key on your side - which only your service knows.
2. Whenever a new consumer site creates an account with you, create a new shared key which only you and they will know. I suggest creating this key by using your private key as a password, and encrypting some kind of identifier which will let you identify this particular user.
3. As part of your registration process, make the consumer site tell you what URI they will be using your scripts on.

现在 - 你既做你的跟踪和验证变得相当简单的方式

Now - the way that you both do your tracking and authentication becomes fairly simple.

您提到的提供一个JS库，将不需要更新，每次更新FF。我建议使用jQuery构建图书馆或其他类似地支持跨浏览器的JS基础库 - 并让该包装你的AJAX

You mentioned providing a JS library which won't need to update every time FF updates. I suggest building that library using jQuery, or another, similarly supported cross-browser JS foundational library - and letting that wrap your AJAX.

在客户现场要求你的脚本，但是，让他们为你提供这样的：

When the client site requests your script, however, have them provide you something like:

http://www.yourdomain.com/scripts/library.js?key={shared key}

在你身边，当你收到这个请求，检查以下内容：

On your side, when you receive this request, check the following:

1. 当解密他们的共享密钥的使用您的私钥的，你不应该得到的乱码。如果你这样做 - 这是因为他们的重点已经以某种方式被改变 - 而且是无效的。这将导致在 401：未经授权错误


2. 当你解密密钥，知道的的客户端网站的，这是（因为这是关键中含有） - 检查，以确保该请求是从同一个URI来了客户端注册。现在，这保护你从别人窃取他们的密钥并将其注射到不同的网站。


3. 只要上面的比赛，让他们下载的文件。

1. When you decrypt their shared key using your private key, you should not get gibberish. If you do - it's because their key has been altered in some way - and is not valid. This should result in a 401: Unauthorized error.
2. Once you decrypt the key and know which client site this is (because that's what the key contains) - check to make sure that the request is coming from the same URI that client registered with. This now protects you from someone stealing their key and injecting it into a different website.
3. As long as the above matches, let them download the file.

现在 - 当你所服务的JS文件，你可以在注入钥匙插入该文件的方式做到这一点 - 因此它可以访问他们的共享密钥的。在每个AJAX请求的，包括键，这样就可以识别该请求是来自再来的客户端。在RESTful的环境中，应该不会真的会 - 所以你需要在每一个职位这一级别的认证。我建议，包括它作为一个cookie。

Now - when you serve the JS file, you can do so in a way that injects the key into that file - and therefore it has access to their shared key. On each of your AJAX requests, include that key so that you can identify which client this request is coming from again. In a RESTful environment, there shouldn't really be sessions - so you need this level of authentication on each post. I suggest including it as a cookie.

在你的服务器端 - 简单地重复他们在每个后续请求键的检查 - 瞧 - 你已经建立了自己的一些相当严密的保安没有大量的开销

On your server-side - simply repeat the checks of their key on each subsequent request - and voila - you've built yourself some fairly tight security without a lot of overhead.

这是说 - 如果你期望的很多的流量 - 你可能会想回来到这一点，并在未来发掘更多深层的安全流程，滚动自己的安全矩阵可以留下意想不到的孔。但是 - 这是一个良好的开端，将让你离开地面

That said - if you expect a lot of traffic - you may want to come back to this and explore more deep security processes in the future, as rolling your own security matrix can leave unexpected holes. However - it is a good start and will get you off the ground.

随意，如果你要问任何问题，我会尝试相应地更新我的答案。

Feel free to ask any questions if you need, and I will try to update my answer accordingly.

这篇关于对REST面向公众认证机制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！