为指定的客户端提供一些REST API资源
[英]Offer some REST API resources for specified clients
问题描述
I think there is no solution for problem we're facing, but for confirmation I would like to you ask here. 
我认为我们没有解决问题的方法,但是为了确认我想在这里问您。
We have REST API that is consumed from: 我们有REST API,它用于:
- administration website (AngularJS) 管理网站(AngularJS)
- customer website (AngularJS) 客户网站(AngularJS)
- other REST API clients (own API applications) 其他REST API客户端(自己的API应用程序)
Because requests from administration/customer website are made by AngularJS at a client side, users are able to determine (eg via FireBug) resources URLs and are able to consume all these resources from their own applications - what we don't want to and we cannot to restrict it eg with IP address because requests go from client. 由于来自管理/客户网站的请求是由AngularJS在客户端发出的,因此用户能够(例如通过FireBug)确定资源URL,并能够从自己的应用程序中使用所有这些资源-我们不希望这样做,而我们不能用IP地址来限制它,因为请求来自客户端。 We would like to offer some group of resources only for customer / administration website and some resources for own REST API clients and some resources for both, but from the principle of JS requests made from AngularJS (and resource URL visibility) it cannot be done(?). 我们只想为客户/管理网站提供一些资源,为自己的REST API客户端提供一些资源,为这两者提供一些资源,但是根据AngularJS发出的JS请求的原理(以及资源URL可见性),它是不可能做到的( ?)。
What could be the best practice for this issue? 此问题的最佳做法是什么?
1 个解决方案
解决方案1
1 2014-01-13 20:40:56
Note: Your REST resources should always be secure. 注意:您的REST资源应始终安全。 You should never depend on any client side javascript code. 您永远不应依赖任何客户端javascript代码。 If your security is breached because someone knows the URI of an REST api; 如果由于有人知道 REST API的URI而破坏了安全性; something is very wrong . 出事了 。
Angular can be made modular is such a way that the customers only see the customer modules and the administrators see the customer and administrator modules. 可以将Angular模块化,客户只能看到客户模块,而管理员可以看到客户和管理员模块。 This way you can let the administrators play in a WYSIWYG environment without having them to switch back and forth between the websites. 这样,您可以让管理员在所见即所得的环境中工作,而无需他们在网站之间来回切换。
// Customers.js
// Module only containing customer code
angular.module('myCustomerProducts', ['myMainApp']);
// Administrators.js
// Module only containing administrator code
angular.module('myEditCustomerProducts', ['myCustomerProducts', 'myMainApp']);
Since your website is already separated for administrators and customers you can simply only include and deploy the javascript code for the specified target site. 由于您的网站已经被管理员和客户分开,因此您仅可以包括和部署指定目标网站的javascript代码。 If this is not the case you'll need some server side transformation (eg. ASP.NET, PHP, Jade, ...) to build the index.html dynamically based on the credentials of the user. 如果不是这种情况,则需要一些服务器端转换(例如ASP.NET,PHP,Jade等),以便根据用户的凭据动态构建index.html。 Depending on the hosting platform, you can also deny access to everyone not in the administrator group when requesting anything from the administrator website (area). 根据托管平台,在从管理员网站(区域)请求任何内容时,您也可以拒绝对不在管理员组中的所有人的访问。
But again; 但是又 the server side security is way more of value. 服务器端安全性更有价值。 You can't secure an insecure server with javascript (on the client side). 您无法使用javascript(在客户端)保护不安全的服务器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.