将敏感信息发送到REST服务
[英]Sending sensitive information to REST service
问题描述
We currently have a SOAP based web service that our in house applications use to authenticate users. 
我们目前有一个基于SOAP的Web服务,我们的内部应用程序使用它来验证用户。 Basically, they send a SOAP request with the username and password. 基本上,他们使用用户名和密码发送SOAP请求。 The web service authenticates their credentials against our data store and returns user information if the authentication is successful. Web服务针对我们的数据存储验证其凭据,并在验证成功时返回用户信息。 The web service is secured using BASIC authentication and SSL. 使用BASIC身份验证和SSL保护Web服务。
We need to make modifications to this web service and I was considering re-writing it as a REST service. 我们需要对此Web服务进行修改,我正在考虑将其重新编写为REST服务。 The REST services I have created in the past have been fairly simple and had no need for security. 我过去创建的REST服务非常简单,不需要安全性。 I have never created a REST service that used sensitive information, so I have a couple of questions / concerns: 我从未创建过使用敏感信息的REST服务,所以我有几个问题/顾虑:
First, is there a best practice for sending sensitive query parameters (user credentials) to a REST service securely? 首先,是否有一种最佳实践可以安全地将敏感查询参数(用户凭据)发送到REST服务? I can still use the BASIC authentication and SSL. 我仍然可以使用BASIC身份验证和SSL。
Second, if I send a query to a REST service using POST, is it still considered RESTful, or is GET required for REST queries? 其次,如果我使用POST向REST服务发送查询,它仍然被认为是RESTful,还是REST查询需要GET?
3 个解决方案
解决方案1
3 已采纳 2011-02-09 19:30:51
You can use SSL and Basic authentication with REST web services as well. 您也可以对REST Web服务使用SSL和基本身份验证。
HTTP GET is usually used for data retrieval (queries) but you can use HTTP POST as well. HTTP GET通常用于数据检索(查询),但您也可以使用HTTP POST。 GET is especially useful if you can use any type of HTTP caching. 如果您可以使用任何类型的HTTP缓存,GET特别有用。 POST is usefull if you need to transfer a lot of data to define your query or if your web service operation expects some complex data format instead of simple arguments. 如果您需要传输大量数据来定义查询,或者您的Web服务操作需要一些复杂的数据格式而不是简单的参数,那么POST很有用。
解决方案2
1 2011-02-10 02:02:30
Instead of doing the authentication via REST, you might also consider a networked authentication protocol to use in conjunction with web services. 您可能还会考虑将网络身份验证协议与Web服务结合使用,而不是通过REST进行身份验证。 Technologies like Kerberos and OAuth were designed for these sorts of use cases. Kerberos和OAuth等技术专为这些用例而设计。
To answer your questions, however: 但是,要回答您的问题:
REST encourages you to leverage HTTP and related protocols, so using SSL and BASIC authentication is quite appropriate.
REST鼓励您利用HTTP和相关协议,因此使用SSL和BASIC身份验证是非常合适的。 REST encourages the use of not just GET and POST, but even other HTTP "verbs" such as PUT and DELETE.
REST鼓励不仅使用GET和POST,还使用其他HTTP“动词”,如PUT和DELETE。 Use GET only for idempotent operations with no side-effects. 仅对没有副作用的幂等操作使用GET。
解决方案3
0 2011-02-09 19:33:42
Going from SOAP to REST is taking a step backward as far as security goes. 从安全性到SOAP,从安全性向前迈进了一步。
As far as best practices: 就最佳做法而言:
- Don't roll your own security. 不要滚动自己的安全。 Use a framework or existing library that has been peer-reviewed and tested. 使用经过同行评审和测试的框架或现有库。
- Don't pass unencrypted static keys. 不要传递未加密的静态密钥。 If you're using HTTP Basic and sending it across the wire, encrypt it. 如果您正在使用HTTP Basic并通过网络发送它,请对其进行加密。
- Ideally, use hash-based message authentication code (HMAC) because it's the most secure. 理想情况下,使用基于散列的消息身份验证代码(HMAC),因为它是最安全的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.