[英]Secure Rest-Service before user authentification
I have a web application that provides several rest services (Jersey). 我有一个Web应用程序,提供一些休息服务(泽西岛)。 Most of the endpoints are secured by BASIC authentification.
大多数端点都通过BASIC身份验证来保护。 Further more I use SSL for transport and demand POSTs for every call.
此外,我使用SSL进行传输,并为每个呼叫要求POST。 The clients/consumers are android apps.
客户端/消费者是android应用。
So far so good. 到现在为止还挺好。 The only service that seems to be vulnerable is the registration.
似乎容易受到攻击的唯一服务是注册。 It's the 'first' service to call and a user does not exist yet.
这是呼叫的“第一个”服务,并且用户还不存在。 So I cannot use OAuth, etc. I also have to keep the endpoint easy accessible to enable the user to regster.
因此,我无法使用OAuth等。我还必须使端点易于访问以使用户能够注册。
How do I secure this service, so it's not spammed by a bot flooding my database? 我如何确保此服务的安全性,以防僵尸程序淹没我的数据库?
How about these? 这些怎么样?
I do not think you can really secure the registration URL in a HTTP way. 我认为您真的不能以HTTP方式保护注册URL。 IMHO, anyone who has the registration url can be a right guy trying to register.
恕我直言,任何拥有注册网址的人都可以尝试注册。 So if you ask me, option 3 is better than others.
因此,如果您问我,选项3比其他选项更好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.