简体繁体 English

如何保护基于Rest的API？

[英]How to secure Rest Based API?

原文 2012-11-26 19:28:35 7 2 rest/ post/ get

We intend to develop rest based api. 我们打算开发基于REST的API。 I explored the topic but it seems, you can secure api when your client is an app (So there are many ways, public key - private key etc). 我探讨了该主题，但看来，当您的客户端是应用程序时，您可以保护api（因此有很多方法，例如公钥-私钥等）。 What about websites / mobile website, if we are accessing rest based api in website which do not use any login for accessing contents ( login would be optional ) then how could we restrict other people from accessing rest based api ? 那么网站/移动网站呢，如果我们正在访问不使用任何登录名访问内容的网站中基于Rest的api（登录将是可选的），那么我们如何限制其他人访问基于rest的api？

Does it make sense using Oauth2.0 ? 使用Oauth2.0是否有意义？ I don't have clear idea of that. 我对此不清楚。

More clear question could be ,How can we secure get or post request exposed over web for the website which doesn't use any login ? 更明确的问题是，对于不使用任何登录信息的网站，我们如何确保通过Web公开的获取或发布请求？

If it's simple get request or post request , which will return you json data on specific input, now i have mobile website , who will access those data using get request or post request to fetch data. 如果这是简单的get request或post request，它将在特定输入上返回json数据，那么我现在拥有移动网站，该网站将使用get request或post request访问这些数据以获取数据。 Well, some else can also access it , problem is i am not using Login, user can access data directly. 好吧，其他人也可以访问它，问题是我没有使用登录名，用户可以直接访问数据。 But how can we restrict other people from accessing that data. 但是我们如何限制其他人访问该数据。

2 个解决方案

What do you think is the difference between securing a website that is not using REST vs one that is using REST API? 您认为保护不使用REST的网站与使用REST API的网站之间的区别是什么？

OAuth provides authorisation capabilities for your site, in a REST architecture this means a user of the mobile application will have to provide their credentials before being allowed to access the resource. OAuth在REST架构中为您的站点提供授权功能，这意味着移动应用程序的用户必须提供其凭据才能被允许访问该资源。 The application can then decide on if that user has access to the requested resource. 然后，应用程序可以确定该用户是否有权访问所请求的资源。 However you've said your website doesn't need use authorisation. 但是，您已经说过您的网站不需要使用授权。

You can use certificates however good luck managing the certificate for each client. 您可以使用证书，但是可以为每个客户端管理证书。 My take on it is for your explanation you don't need to secure your website because you will never be able to manage a trust relationship between the client and the server. 我的看法是为了您的解释，您无需保护网站，因为您将永远无法管理客户端与服务器之间的信任关系。 There are some options though: 但是有一些选择：

You build your own client application that you ship out to people which can verify itself with the server using a packaged certificate with the client. 您可以构建自己的客户端应用程序，然后将其交付给可以使用与客户端一起打包的证书向服务器进行验证的人员。 Eg iOS has this kind of feature if you build for that device. 例如，如果您为该设备构建iOS，则iOS具有此类功能。
You provide a capability to download a certificate that is 'installed' in the browser and used when communicating to your REST API 您提供了下载证书的功能，该证书已在浏览器中“安装”并在与REST API通信时使用
Use something like a handshaking protocol so when a client wants to make the first request it says; 使用类似握手协议的协议，这样当客户想要发出第一个请求时，它会说： 'hi I'm a client can we chat?' “嗨，我是客户，我们可以聊天吗？” And the server responds with 'yes for the next X minutes we can however make sure you send me this key everytime you tell me something YYYYYY' (you can use something like SecureUDID or equivalent for other devices than iOS). 并且服务器在接下来的X分钟内回答“是”，但是我们可以确保每次告诉我YYYYYY时都将这个密钥发送给我（您可以将SecureUDID之类的东西或类似的东西用于iOS以外的其他设备）。

There are probably others but you get the basic idea. 可能还有其他人，但您了解基本概念。 Again in my opinion if your resource doesn't need authorisation then you don't need to secure that REST API. 我再次认为，如果您的资源不需要授权，则不需要保护该REST API。 Can I ask what kind of data are you exposing via this REST API or functionality your providing? 请问您通过此REST API或提供的功能公开了哪些数据？ That might help provide a better answer. 这可能有助于提供更好的答案。

You want authorization: only some agents (mobile clients) and/or users should be allowed to access those APIs. 您需要授权：仅应允许某些代理（移动客户端）和/或用户访问这些API。

To solve that problem, you need identification: a way for the server to tell who is who (or what), so the right decision can be made. 要解决该问题，您需要标识：服务器识别谁是谁（或什么）的一种方法，以便可以做出正确的决定。

There are many different way to provide some form of identification, depending how much you care about security. 提供多种形式的身份验证的方式有很多，具体取决于您对安全性的重视程度。

The simplest is a user agent string, specific to your mobile clients. 最简单的是特定于您的移动客户端的用户代理字符串。 But it can be faked easily. 但是它很容易被伪造。 Slightly harder to fake are client based 'secrets' - embed some kind of secret or key in your mobile client code. 基于客户端的“秘密”稍微难于伪造-在您的移动客户端代码中嵌入某种秘密或密钥。 You can make it really complicated and secret, but as ramsinb pointed out, you can't get security this way as it would require you to be able to guarantee that the secret you're shipping with the client (wether it's code, algorithm or any other fancy construct) can't be compromised or reverse engineered. 您可以使其变得非常复杂和秘密，但是正如ramsinb所指出的那样，您无法以这种方式获得安全性，因为这将需要您能够保证与客户端一起提供的秘密（无论是代码，算法还是任何其他花哨的构造）都不会受到损害或进行反向工程。 Not happening when you don't control the client. 当您不控制客户端时，不会发生。

From there, 3 choices: 从那里，有3个选择：

Security isn't really required, don't bother 并不是真正需要安全性，不要打扰
Security isn't really required, but you still want to limit access to your API to either legit users/agents or people ready to invest some time hacking your protection - go with a specific user agent or a client embedded secret - don't invest much into it as it won't block people who really want access to get it anyway 并不是真正需要安全性，但是您仍然想将对API的访问限制为合法用户/代理或准备投资一些时间来破坏保护的人员-使用特定的用户代理或客户端嵌入的机密-不要投资因为它不会阻止真正想要访问它的人
Security IS required - and then I don't think there is a way around authentication, wether it's login/password, user specific (device specific?) keys, OpenID, etc... No matter what, you'll have to add to the user burden to some extent, although you can limit that burden by allowing authentication to persist (cookies, storage....) 需要安全性-然后我认为没有办法解决身份验证，无论是登录名/密码，特定于用户（特定于设备的密钥），OpenID等等，无论如何，您都必须添加尽管可以通过允许身份验证持久化（Cookie，存储...）来限制该负担，但在一定程度上减轻了用户负担