如何使用基本身份验证保护Android / ios应用程序的Web API
[英]How to secure Web API for android/ios apps with basic authentication
问题描述
I am trying to secure a Web API which will be used by a mobile app running on Android and iOS . 
我正在尝试保护一个Web API ,该Web API将由在Android和iOS上运行的移动应用程序使用。 The way it works now is with Basic Authentication with SSL , it sends the username and password with each request to the Web API . 它现在的工作方式是使用SSL进行Basic Authentication ,它会将每个请求的username和password发送到Web API 。 I validate the credentials in the Web API in a filter before the action is called. 在调用action之前,我在filter验证Web API中的凭据。 This works great. 这非常有效。 The problem is, after users login I have to store the password on the device ( Android / iOS ) to save the session or they will have to login all the time. 问题是,在用户登录后,我必须将密码存储在设备( Android / iOS )上以保存会话,否则他们将不得不一直登录。 This isn't secure because if the device is hacked the credentials can be accessed. 这不安全,因为如果设备被黑客入侵,则可以访问凭证。 I'm looking for a way to user basic authentication without storing passwords on the device. 我正在寻找一种方法来使用基本身份验证,而无需在设备上存储密码。
I think the solution in this article can work but I am unclear how to make it work. 我认为在解决这个文章可以工作,但我不清楚如何使它发挥作用。 In the accepted answer it says 在接受的答案中,它说
Generate a key for each of your apps and have them pass the key in each request as a token.
Take a look at the Basic Authentication module from the ASP.NET site.
I am not clear exactly on the process here. 我不清楚这里的过程。 In this example there doesn't seem to be any username/password involved even during initial login. 在此示例中,即使在初始登录期间也似乎没有涉及任何用户名/密码。 How would the user obtain the key without logging in? 用户如何在不登录的情况下获取密钥? Then, what exactly is the "key" referred to in the quote. 然后,报价中提到的“关键”究竟是什么。 That could be anything such as a Guid ? 那可能是像Guid这样的东西? I am also not understanding how this is anymore secure than storing a username and password on the device if is hacked. 我也不理解这比如果被黑客攻击在设备上存储用户名和密码更安全。 The hacker could use the "key" just as the username and password correct? 黑客可以使用“密钥”,就像用户名和密码一样正确吗?
1 个解决方案
解决方案1
3 2015-07-29 21:57:29
that's basics of authentication, I'll explain the process in a simplfied way. 这是身份验证的基础知识,我将以简单的方式解释这个过程。 Hope you understand. 希望你能理解。
- user types name and password and tap login. 用户键入名称和密码,然后点击登录。
- device send name and password to server. 设备向服务器发送名称和密码。
- server authenticate and respond with a long random unique sequence of characters (aka the key). 服务器使用长的随机唯一字符序列(也称为密钥)进行身份验证和响应。
- Both device and server stores the key. 设备和服务器都存储密钥。
- All other requests uses the key to authenticate. 所有其他请求都使用密钥进行身份验证。
- For every call, the server checks if the key matches the one it have stored. 对于每个呼叫,服务器检查密钥是否与其存储的密钥匹配。
- device never stores the username or password. 设备永远不会存储用户名或密码。
- server can disable/delete that key if suspect of breach, in which case user will have to login again 如果怀疑是违规,服务器可以禁用/删除该密钥,在这种情况下,用户必须再次登录
Do all of this using encryption. 使用加密完成所有这些操作。 Everything! 一切!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.