限制,只允许移动客户端访问Web服务 [英] Restrict access to web service to only allow mobile clients
问题描述
我目前正在建设一个移动应用(iOS版起初),这需要后端的Web服务进行通信。
I'm currently building a mobile application (iOS at first), which needs a backend web service to communicate with.
由于该服务将被揭露,我只希望我的移动客户端进行访问的数据,我想限制访问服务。
Since this service will be exposing data that I only want to be accessed by my mobile clients, I would like to restrict the access to the service.
不过我是有点怀疑的,如何这应该实施。由于我的应用程序不需要身份验证,我不能只是对验证这些凭据的服务。不知怎的,我需要能够识别请求是否来自受信任的客户端(即我的应用程序)来了,这当然导致了思想,人们可以只使用证书。但不能将此证书只是从应用程序中提取,因此滥用?
However I'm in a bit of a doubt as to how this should be implemented. Since my app doesn't require authentication, I can't just authenticate against the service with these credentials. Somehow I need to be able to identify if the request is coming from a trusted client (i.e. my app), and this of course leads to the thought that one could just use certificates. But couldn't this certificate just be extracted from the app and hence misused?
目前我的应用程序是基于iOS上,但后来在Android和WP会来为好。
Currently my app is based on iOS, but later on android and WP will come as well.
我期待Web服务在发展的NodeJS,虽然这不是最后的决定 - 但是这将是一个RESTful服务。
The web service I'm expecting to develop in nodejs, though this is not a final decision - it will however be a RESTful service.
这是最好的做法有什么建议是AP preciated!
Any advice on best practice is appreciated!
推荐答案
答案很简单:你不能prevent从一个非移动客户端acecssing你的网站只是任何人。你可以,但是,使它更难。
Simple answer: You cannot prevent just anybody from acecssing your web site from a non-mobile client. You can, however, make it harder.
很简单:
- 发送一个非标准的HTTP标头
- 设置一些独特的查询参数
- 发送一个有趣的(或微妙的非有趣)的用户代理字符串
- (你也许能想到几个以上)
难易度:
- 实施一个质询/响应协议,以确定您的客户端
- (AB)使用HTTP作为您自己的加密内容 运输
- (你也许能想到几个以上)
当然,任何人都可以提取数据,反编译你的code,重播你的HTTP请求,和诸如此类的东西。但在某些时候,能够访问一个免费的Web应用程序就不值得了会被要求进行反向工程您的应用程序的工作。
Of course anybody could extract the data, decompile your code, replay your HTTP requests, and whatnot. But at some point, being able to access a free Web application wouldn't be worth the effort that'd be required to reverse-engineer your app.
还有一个更基本的问题在这里,但是。什么是与其他一些客户机访问您的网站的危害呢?你还没有说;和没有信息这基本上是不可能推荐一个合适的解决方案。
There's a more basic question here, however. What would be the harm of accessing your site with some other client? You haven't said; and without that information it's basically impossible to recommend an appropriate solution.
这篇关于限制,只允许移动客户端访问Web服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
