通过SSL和HTTP基本身份验证的REST服务
[英]REST service through SSL and HTTP Basic Authentication
问题描述
In Securing an API: SSL & HTTP Basic Authentication vs Signature HTTP Basic Authentication is cited as an adequate way to secure REST web service calls if the REST calls are made through SSL. 
在保护API中:SSL和HTTP基本身份验证与签名如果通过SSL进行REST调用,则将HTTP基本身份验证作为确保REST Web服务调用安全的适当方法。
But it seems this method will still not work for an unsecured client page that uses Ajax to make calls to the REST service that is protected behind SSL & Basic Auth. 但是,对于使用Ajax调用受SSL和基本身份验证保护的REST服务的不安全客户端页面,该方法似乎仍然无法使用。
I am trying to design an application that performs password reset using the usual way: 我正在尝试设计一个使用常规方法执行密码重置的应用程序:
- user enters username and requests "reset password" email 用户输入用户名并请求“重置密码”电子邮件
- user receives email with a password reset link that includes a verifiable token 用户收到带有密码重置链接的电子邮件,该链接包含可验证的令牌
- user clicks on the link and (after the token is verified) types in their updated password 用户单击链接,然后(在验证令牌之后)输入其更新的密码
By definition these pages do not require login. 通过定义这些网页不需要登录。 Can this UI be implemented using Ajax that calls REST services to do things like validate token, send email, etc.? 是否可以使用Ajax来实现此UI,Ajax调用REST服务来执行诸如验证令牌,发送电子邮件等操作? Even if those REST services are protected behind SSL & Basic Auth, the information that you need to call the service (ie the application's "username" and password) will be at best in cookies which would be accessible through the browser. 即使这些REST服务受SSL和基本身份验证的保护,您调用该服务所需的信息(即应用程序的 “用户名”和密码)也将最好在cookie中,这些cookie可以通过浏览器访问。
I know I am missing something. 我知道我缺少什么。 I just don't know what :-) 我只是不知道什么:-)
2 个解决方案
解决方案1
1 2011-09-01 02:41:12
As long as 1 - 3 happen under SSL, the data will be safe over the wire to the server (assuming you trust the certificate authority) 只要在SSL下发生1-3次,数据就可以通过网络安全传输到服务器(假设您信任证书颁发机构)
During that process, the browser will hold those credentials in memory. 在此过程中,浏览器将这些凭据保存在内存中。 You have no choice but to trust that if the user is going to enter the data. 您别无选择,只能相信用户是否要输入数据。
It is the web sites code that determines whether to store info in cookies. 网站代码确定是否将信息存储在cookie中。
I think you should be OK if 1 - 3 are under SSL. 我认为如果1-3使用SSL,您应该可以。
解决方案2
0 2011-09-01 02:35:30
I've no idea what you're protecting so I'l just toss some thoughts out. 我不知道您要保护什么,所以我只是想一想。
SSL and TLS are not meaningful if you (or someone else who gives a hoot) aren't in control of the root list of the relying party. 如果您(或其他提供帮助的人)无法控制依赖方的根列表,则SSL和TLS没有意义。 I say this because I expect that if you don't trust the guy with the key to the lock then you won't put your money in his vault. 我之所以这样说,是因为我希望,如果您不信任那个带锁钥匙的人,那么您就不会把钱投入他的金库中。 So if the users loading the login pages are in the wild so to speak then user/pass through TLS is a low bar, definitely good enough for protecting my favorite movies list. 因此,可以这么说,如果加载登录页面的用户非常疯狂,那么通过TLS的用户/访问权限就很低,绝对足以保护我最喜欢的电影列表。
Carby praises to the all being FSM 卡比称赞所有人都是FSM
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.