用户认证之前的安全休息服务
[英]Secure Rest-Service before user authentification
问题描述
I have a web application that provides several rest services (Jersey). 
我有一个Web应用程序,提供一些休息服务(泽西岛)。 Most of the endpoints are secured by BASIC authentification. 大多数端点都通过BASIC身份验证来保护。 Further more I use SSL for transport and demand POSTs for every call. 此外,我使用SSL进行传输,并为每个呼叫要求POST。 The clients/consumers are android apps. 客户端/消费者是android应用。
So far so good. 到现在为止还挺好。 The only service that seems to be vulnerable is the registration. 似乎容易受到攻击的唯一服务是注册。 It's the 'first' service to call and a user does not exist yet. 这是呼叫的“第一个”服务,并且用户还不存在。 So I cannot use OAuth, etc. I also have to keep the endpoint easy accessible to enable the user to regster. 因此,我无法使用OAuth等。我还必须使端点易于访问以使用户能够注册。
How do I secure this service, so it's not spammed by a bot flooding my database? 我如何确保此服务的安全性,以防僵尸程序淹没我的数据库?
1 个解决方案
解决方案1
0 已采纳 2016-07-18 08:57:00
How about these? 这些怎么样?
- Use a registration link with a token in the request parameter. 在request参数中使用带有令牌的注册链接。 Ensure that the tokens expire after sometime. 确保令牌在一段时间后过期。 You could create a token endpoint url as well for a client to get a valid token. 您也可以为客户端创建令牌端点URL,以获取有效令牌。
- Use a custom header or a dynamic custom header in your request. 在请求中使用自定义标头或动态自定义标头。 Additionally, you could check for a dynamic custom header to validate the request's authenticity. 此外,您可以检查动态自定义标头以验证请求的真实性。
- Use registration confirmation workflows, such as an email / text verification as soon the registration is done. 完成注册后,立即使用注册确认工作流程,例如电子邮件/文本验证。 Run a process every day to delete any user accounts, which are not validated in say x days. 每天运行一个过程以删除所有用户帐户,这些帐户在x天之内没有得到验证。
I do not think you can really secure the registration URL in a HTTP way. 我认为您真的不能以HTTP方式保护注册URL。 IMHO, anyone who has the registration url can be a right guy trying to register. 恕我直言,任何拥有注册网址的人都可以尝试注册。 So if you ask me, option 3 is better than others. 因此,如果您问我,选项3比其他选项更好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.