保护Rest Web服务以进行公共身份验证-服务器到服务器
[英]Securing Rest Web Service for Public Authentication - Server to Server
问题描述
I've a have a public RESTful API that is used for user authentication for a web application that accepts the user id and password in clear text (see below). 
我有一个公共的RESTful API,用于Web应用程序的用户身份验证,该应用程序接受明文形式的用户ID和密码(请参见下文)。 The username is passed in the url path as a path parameter and the password is a query string parameter. 用户名在URL路径中作为路径参数传递,密码是查询字符串参数。 The HTTP GET comes from another web application on the server side (http client request), is this API secure? HTTP GET来自服务器端的另一个Web应用程序(http客户端请求),此API安全吗? I was under the impression that the URL can not be seen if the request is going from server to server. 我的印象是,如果请求从服务器到服务器,则无法看到URL。 My main fear is that someone could use something like firebug and see the traffic and get the userid and password. 我的主要担心是,有人可能会使用Firebug之类的东西来查看流量并获取用户名和密码。
REST end point: REST端点:
HTTP GET https://host:80/user/joebob?password=pass123
1 个解决方案
解决方案1
1 已采纳 2012-05-30 21:57:19
Someone most definitely could see the username and password with a simple network sniffer. 绝对可以肯定有人可以通过简单的网络嗅探器查看用户名和密码。 If you are POSTing the request, why are the parameters in the URL? 如果要发布请求,为什么URL中的参数呢? They should be in the body like a normal POST, then at least the SSL protection kicks in and people can't sniff them. 它们应该像普通的POST一样位于身体中,然后至少启动SSL保护,并且人们不能嗅探它们。 Another option would be for you to look at HTTP Basic Auth. 另一个选择是让您查看HTTP基本身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.