有哪些方法可以保护REST API?
[英]What are some ways to secure REST APIs?
问题描述
I have a situation where iPhone client Signs In with Google/Facebook 
我遇到iPhone客户端使用Google / Facebook登录的情况
step 1
iPhone Client --------——> Google/Facebook
Once Authenticated, client needs to get data from my REST APIs 身份验证后,客户端需要从我的REST API中获取数据
step 1
iPhone Client --------——> Google/Facebook
|
| step 2
|
V
GET /transactions
Question 题
Since server is not aware if client is authenticated(Ideally client is authenticated), what are some ways I can secure my REST APIs to have confidence that it is reasonably secured against malicious attacks?
由于服务器不知道客户端是否已通过身份验证(理想情况下客户端已通过身份验证),因此我可以通过哪些方式保护我的REST API,以确保其可以可靠地防御恶意攻击? Also, I do not want to maintain user/passwords on server
另外,我不想在服务器上维护用户名/密码
2 个解决方案
解决方案1
0 2014-07-15 23:20:41
You need to look into OAuth2, which is created to authorise user and allow access to secured resources. 您需要研究OAuth2,它是用来授权用户并允许访问安全资源的。 Here are some useful links for the same: 以下是一些有用的链接:
RFC: RFC:
http://tools.ietf.org/html/rfc6749 http://tools.ietf.org/html/rfc6749
One link that can lead you wherever you want to: 一个链接可以带您到任何地方:
解决方案2
0 2014-07-15 23:59:14
您可以为响应中的每个客户端生成一个密钥,然后当客户端再次访问服务器(在请求中提供密钥)时,请比较该密钥在密钥池中是否为有效密钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.