最佳实践确保一个REST API / web服务 [英] Best Practices for securing a REST API / web service
问题描述
当设计一个REST API或服务是否有任何既定的最佳做法处理安全(认证,授权,身份管理)?
When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ?
在构建一个SOAP API你的WS-Security作为指南,并在话题存在很多文学作品。我发现有关保护REST端点的信息较少。
When building a SOAP API you have WS-Security as a guide and much literature exists on the topic. I have found less information about securing REST endpoints.
虽然我理解REST故意没有规格类似于WS- *我希望最佳做法或建议的模式已经出现了。
While I understand REST intentionally does not have specifications analogous to WS-* I am hoping best practices or recommended patterns have emerged.
任何讨论或链接到相关的文件将非常AP preciated。
如果它的事项,我们将使用WCF与POX / JSON序列信息使用.NET Framework V3.5的为我们的REST API的/服务构建的。
Any discussion or links to relevant documents would be very much appreciated. If it matters, we would be using WCF with POX/JSON serialized messages for our REST API's/Services built using v3.5 of the .NET Framework.
推荐答案
由于tweakt说,亚马逊S3是一个很好的模型一起工作。他们的要求签名确实有一些功能(如纳入时间戳)的帮助防止偶然的,恶意的要求重播。
As tweakt said, Amazon S3 is a good model to work with. Their request signatures do have some features (such as incorporating a timestamp) that help guard against both accidental and malicious request replaying.
关于HTTP基本的好处是,几乎所有的HTTP库支持。你会的,当然,必须要求在这种情况下,SSL,因为过网发送明文口令几乎普遍一件坏事。基本是preferable使用SSL时,因为即使来电者已经知道证书是必需的,摘要需要额外的往返交流的随机数值消化。有了基本的来电者只需发送凭据第一次。
The nice thing about HTTP Basic is that virtually all HTTP libraries support it. You will, of course, need to require SSL in this case because sending plaintext passwords over the net is almost universally a bad thing. Basic is preferable to Digest when using SSL because even if the caller already knows that credentials are required, Digest requires an extra roundtrip to exchange the nonce value. With Basic, the callers simply sends the credentials the first time.
在客户端的身份被建立,授权实际上只是一个实现问题。但是,你可以与现有的授权模型委托授权其他一些组件。关于再次Basic中好处这里是您的服务器与客户端密码的明文副本结束,您可以根据需要您的基础设施中简单地传递到另一个组件。
Once the identity of the client is established, authorization is really just an implementation problem. However, you could delegate the authorization to some other component with an existing authorization model. Again the nice thing about Basic here is your server ends up with a plaintext copy of the client's password that you can simply pass on to another component within your infrastructure as needed.
这篇关于最佳实践确保一个REST API / web服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
