用Zend创建安全的REST API的最佳方法是什么?
[英]What is the Best way to create a secure REST API with Zend?
问题描述
I have been looking on a lot of questions about REST API and security and found some interesting informations but there is still one thing I don't understand. 
我一直在寻找有关REST API和安全性的许多问题,并发现了一些有趣的信息,但是我仍然不了解一件事。
So, I have a REST API developped with Zend Framework with basic authentication over an https channel (so if I understoud what I have read, the login/password are encrypted when they are sent). 因此,我有一个使用Zend Framework开发的REST API,它通过https通道进行了基本身份验证(因此,如果我理解所读内容,则在发送登录名/密码时会对其进行加密)。 The purpose of this API is to be called by Android/iPhones apps and will only be available to people who have a login and a password 此API的目的是由Android / iPhones应用程序调用的,并且只有具有登录名和密码的人才能使用
SO, currently, to call the API, the login and password are always sent with the call and so, I check them at every call (the result is it makes a call to the database just for authentication at each call to the API). 因此,当前,要调用API,登录名和密码始终随调用一起发送,因此,我在每次调用时都会对其进行检查(结果是,每次对API进行调用时,都会对数据库进行调用以进行身份验证)。
Is there some kind of session management (as in web developpement) to avoid that? 是否有某种会话管理(例如在Web开发中)可以避免这种情况?
Thank, 谢谢,
1 个解决方案
解决方案1
0 已采纳 2012-08-10 19:45:35
REST API should be stateless, but you can use request signing using some secret key you obtain after first submission of username + password. REST API应该是无状态的,但是您可以使用在第一次提交用户名+密码后获得的一些秘密密钥来使用请求签名。
In other words, do not send username and password every time, just use once, to obtain secret key. 换句话说,不要每次都发送用户名和密码,只需使用一次即可获取密钥。
You may take a look at several APIs that sign the requests, eg. 您可以看一下几个签名请求的API,例如。 some implementing OAuth. 一些实现OAuth。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.