如何保护REST Web服务?
[英]How can secure a REST web service?
问题描述
I am studying for the Spring core certification and I have some doubts related how REST web service and I am studying it to apply to Spring framework. 
我正在攻读Spring核心认证,我对REST Web服务和我正在研究如何应用于Spring框架有一些疑问。
So I have some doubt related to this question founded on my study material but I can't find an answer. 所以我对基于我的学习材料的这个问题有一些疑问,但我找不到答案。
So the questions are (I don't know it these questiona are related each other): 所以问题是(我不知道这些问题是彼此相关的):
Is REST secure?
REST安全吗? What can you do to secure it? 你能做些什么来保护它? Does REST work with transport layer security (TLS)?
REST是否与传输层安全性(TLS)一起使用?
I have understand how a REST webservice works and I know that it use the Http method to access resources and implement CRUD operation but what means asking if REST is secure? 我已经了解了REST Web服务是如何工作的,我知道它使用Http方法来访问资源并实现CRUD操作,但是什么意味着要求REST是否安全? What is meant by secure in this specific case? 在这种特定情况下,安全是什么意思?
And what exactly is a TSL in REST? 什么是REST中的TSL究竟是什么?
2 个解决方案
解决方案1
3 已采纳 2015-04-10 15:11:16
1. Is REST secure? 1. REST安全吗? What can you do to secure it? 你能做些什么来保护它?
REST is a paradigm. REST是一种范例。 It's not a finished protocol or an implementation. 它不是完成的协议或实现。 There are mechanisms to secure RESTful webservices (one would be TLS), but by default REST doesn't say anything about it. 有一些机制可以保护RESTful Web服务(一种是TLS),但默认情况下REST并没有说明任何内容。
The OWASP gives a good overview over REST security topics and how to secure a RESTful webservice: OWASP可以很好地概述REST安全主题以及如何保护RESTful Web服务:
- https://www.owasp.org/index.php/REST_Security_Cheat_Sheet https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
What is security?: 什么是安全性?:
Please note that there are different security objectives in information security: 请注意,信息安全有不同的安全目标:
- confidentiality 保密
- integrity 廉正
- availability 可用性
All would need different security measures. 所有人都需要不同的安全措施。 Some can not be handled by the webservice (REST) alone. 有些无法单独通过Web服务(REST)处理。 (eg availability would mean that the server itself is secured and you have security measure agains dDoS attacks.) (例如,可用性意味着服务器本身是安全的,并且您的安全措施会再次受到dDoS攻击。)
It's not really well defined what REST is in detail, it's not a official standard or a specification. 它并没有很好地定义REST的详细内容,它不是官方标准或规范。 I would say that REST per se is not secure. 我会说REST本身并不安全。 There are mechanisms you can build around it to secure it (like TLS, token authentication). 您可以围绕它构建机制来保护它(如TLS,令牌身份验证)。 Many of these measure have nothing to do with REST directly. 其中许多措施与REST直接无关。
2. Does REST work with transport layer security (TLS)? 2. REST是否与传输层安全性(TLS)一起使用?
Yes. 是。 Transport Layer Security can encrypt the communication to a RESTful Webservice and authenticate the server to a client. 传输层安全性可以加密与RESTful Web服务的通信,并向客户端验证服务器。 ( confidentiality and to some extend integrity ) ( 机密性和一些延伸完整性 )
解决方案2
1 2015-04-10 15:15:33
1. It depends . 这取决于 。 Security is about tradeoffs, not a simple yes/no question. 安全是关于权衡,而不是简单的是/否问题。 REST is not inherently secure or insecure; REST本身并不安全或不安全; it depends on how you implement it. 这取决于你如何实现它。 One example is SQL injection attacks: the use of REST has no bearing on whether the system prevents them. 一个例子是SQL注入攻击:REST的使用与系统是否阻止它们无关。 Another example is authorizing access: REST does not inherently limit access to the resources it exposes. 另一个例子是授权访问:REST本身并不限制对其公开的资源的访问。 If you need a guarantee that those resources can only be accessed locally, using REST will make it harder to ensure that. 如果您需要保证这些资源只能在本地访问,那么使用REST将更难确保这些资源。
2. Generally yes . 2.一般是的 。 Off-the-shelf servers support TLS, but a completely written-from-scratch program using REST to communicate might not implement TLS code (this is a rather unrealistic scenario, but I'm including it for the sake of completeness). 现成的服务器支持TLS,但使用REST进行通信的完全从头开始编写的程序可能无法实现TLS代码(这是一个相当不切实际的情况,但我为了完整性而将其包括在内)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.