宁静的登录 - 正确实施 [英] Restful Login - proper implementation
问题描述
新建RESTful服务,但是阅读关于这个问题有很多。实施VS2010 C#
New to RESTful services but read a lot on the subject. Implementing in VS2010 C#
类似的(几乎相同)的问题已被要求,并回答了在这里计算器,但老实说,我学到的反应罢了。
Similar (nearly identical) questions have been asked and answered here on stackoverflow, but honestly I learned nothing from the responses.
我想实现一个AuthenticatUser电话,其中用户名和密码被发送,并返回一个验证密钥。
I want to implement an AuthenticatUser call where a username and password is sent and an authentication key is returned.
由于这需要有用GET完成的,POST,PUT或删除,看来GET是最合适的。
Given that this needs to be done with a GET, POST, PUT, OR DELETE, it seems the GET would be most appropriate.
因此,也许GET MYDOMAIN /为MyService /认证/ {用户名} / {密码}
So perhaps GET mydomain/myservice/authenticate/{username}/{password}
由于用户名和密码的URI传递,我不喜欢这样,但据我所知它不是在发送的身体是个好主意得到。因此,一个POST或PUT会的工作,但似乎从REST风格的理念分歧。
I don’t like this because the username and password is passed in the URI, but as I understand it is not a good idea to send a body in a GET. So a POST or PUT would work, but that seems to diverge from the RESTFul philosophy.
问题1:是否确定要发送的敏感数据像在URL密码?该网站将使用SSL
Question 1: Is it OK to send sensitive data like password in the URL? The site will use SSL.
问题2:在获取在有传递多个参数,好像URI的概念会得到一个有点疯狂,是如何复杂查询应该是REST风格处理?
Question 2: In GETs when there are multiple parameters being passed, it seems like the URI concept would get a bit crazy, how are complex queries supposed to be handled RESTfully?
问题3:什么是首选(正常,最常见的)身份验证的一个RESTful API方法
Question 3: What is the preferred (normal, most common) method of authentication in a RESTful API?
推荐答案
这是不正确的URL传递密码。我已经做了一些这方面的研究。首先,你应该使用基本身份验证通过SSL如果这是可能的。在认证头传递用户名和密码。现在,至于其余的有关会议上不能保持在服务器上。所以,你需要通过用户ID和密码每次呼叫。它是有风险的存储密码在本地存储。因此,使用POST调用首次验证和合格的用户ID和密码。然后在验证成功返回服务器返回tokenkey和tokenvalue。 tokenkey和tokenvalue类似亚马逊的私有密钥份额开始。从明年起,要求送tokenkey并使用tokenvalue签数据。传递tokenkey和签名每次。上serverend,服务器验证签名,因为它具有tokenvalue的副本。 tokenkey和tokenvalue可如果可能的话被加密存储在本地。你不能使用tokenkey永远tokenvalue。因此对每个请求,服务器响应发送一个随机数。这个随机数被存储在服务器端并为每个请求更改数据库。当你发送一个请求到服务器包含这个随机数。该随机数是使用时间戳形成。如果经过15分钟发送一个请求说,该随机数进行解密和时间戳被发现有15分钟以上,因此您重定向他到登录页面。随机数的形成在 http://www.ietf.org/rfc/rfc2617.txt。一旦现时已成功验证了该随机数被丢弃,和一个新的随机数现在发送(与最新时间戳再次形成)。这也将有助于防止重放攻击。
It is not correct to pass password in url. I have done some research on this. Firstly you should use Basic Authentication over SSL if that is possible. In the Authentication header pass the userid and password. Now as far as rest is concerned the session is not maintained in server. So you need to pass user id and password for every call. It is risky to store the password in the local storage. Hence use a POST call for first time authentication and pass userid and password. Then on return of successful authentication the server returns a tokenkey and tokenvalue. tokenkey and tokenvalue are similar to Amazon private key share initially. From next request onwards send the tokenkey and sign your data using tokenvalue. Pass the tokenkey and signature everytime. On serverend, the server verifies the signature since it has a copy of tokenvalue. tokenkey and tokenvalue can be stored locally if possible encrypted. You cannot use the tokenkey and tokenvalue forever. Hence on each request the server sends a nonce in response. This nonce is stored in database in server end and changes for every request. When you send a request to server include this nonce. The nonce is formed using timestamp. If a request is sent say after 15 mins, the nonce is decrypted and timestamp is found to be more than 15 minutes and hence you redirect him to login page. Formation of Nonce is given in http://www.ietf.org/rfc/rfc2617.txt. Once the nonce is successfully validated this nonce is discarded and and a new nonce is now sent (formed again with latest timestamp). This will also help to prevent replay attack.
这篇关于宁静的登录 - 正确实施的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
