堆栈内存溢出
  简体   繁体   English

如何使用查询身份验证保护REST API

[英]how to secure rest api with query authentication

 原文  2015-07-27 08:33:07       android/ asp.net/ web-services/ rest/ rest-security

问题描述

I have a rest API which create by asp.net webservice, and I have an android and IOS application which call the api and show some data to the user. 我有一个由ASP.NET Web服务创建的Rest API,还有一个android和IOS应用程序,它们调用api并向用户显示一些数据。

what I need is to secure my API in a way that only my application can access to the data through the api and other request rejects. 我需要的是保护我的API的方式,只有我的应用程序才能通过api和其他请求拒绝来访问数据。

I should mention that my application are not user base so there is no login and authentication and I don't want force user login !!! 我应该提到我的应用程序不是基于用户的,因此没有登录名和身份验证,并且我不想强制用户登录!

According to my search, I need query authentication (query parameters) to achieve this. 根据我的搜索,我需要查询身份验证(查询参数)才能实现此目的。

What I need is how to create this kind of query parameters and how to validate them? 我需要的是如何创建这种查询参数以及如何对其进行验证? (Performance is too important for me) (性能对我来说太重要了)

Thanks in advance 提前致谢

2 个解决方案

解决方案1
 0  2015-07-27 09:51:03

You can use basic authentication or any token based authentication mechanism. 您可以使用基本身份验证或任何基于令牌的身份验证机制。 So on every request to your api, get the authentication headers(authenticiation tokens in http request header) and verify if client is allowed to invoke it. 因此,在对您的api的每个请求上,获取身份验证标头(http请求标头中的身份验证令牌)并验证是否允许客户端调用它。 If it failed then send by necessary HTTP status code. 如果失败,则通过必要的HTTP状态代码发送。 You just need to ensure that the applications that you want to allow to call your api are using those security tokens in their request headers. 您只需要确保要允许其调用api的应用程序在其请求标头中使用这些安全令牌即可。 And you can keep those credentials or security tokens in memory or file or db as you like. 您可以根据需要将这些凭据或安全性令牌保留在内存,文件或数据库中。

解决方案2
 0  2015-07-27 13:16:22

I am not a security expert, but as far as I know what you want is not possible. 我不是安全专家,但据我所知您无法实现。 Anything you embed on the client to authenticate your application is accessible to an attacker, who can than use that information to access your API. 攻击者可以访问您在客户端上嵌入的用于验证应用程序的任何内容,然后攻击者可以使用该信息来访问您的API。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Boot中的安全REST API无需登录身份验证 - Secure REST API in Spring Boot without login authentication 如何正确保护我的REST-API - How to correctly secure my REST-API 如何为移动应用程序保护REST API? - How to secure a REST API for mobile applications? Okta身份验证和OAuth来保护API - Okta Authentication and OAuth to secure API 无需移动应用程序的用户身份验证即可保护私有REST API的最佳方法 - Best way to secure Private REST API without user authentication for mobile app 如何使用基本身份验证保护Android / ios应用程序的Web API - How to secure Web API for android/ios apps with basic authentication 如何调用需要基本身份验证的Rest API? - How to call rest api that require basic authentication? 如何为我的应用程序创建安全的Rails REST Api? - How to create a secure Rails REST Api for my app? 如何使用REST API或其他方法保护JSON文件? - How can I Secure a JSON file with REST API or other methods? 带有身份验证令牌的Rest API - Rest API with authentication token
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM