[英]How to secure Rest Based API?
We intend to develop rest based api. 我们打算开发基于REST的API。 I explored the topic but it seems, you can secure api when your client is an app (So there are many ways, public key - private key etc).
我探讨了该主题,但看来,当您的客户端是应用程序时,您可以保护api(因此有很多方法,例如公钥-私钥等)。 What about websites / mobile website, if we are accessing rest based api in website which do not use any login for accessing contents ( login would be optional ) then how could we restrict other people from accessing rest based api ?
那么网站/移动网站呢,如果我们正在访问不使用任何登录名访问内容的网站中基于Rest的api(登录将是可选的),那么我们如何限制其他人访问基于rest的api?
Does it make sense using Oauth2.0 ? 使用Oauth2.0是否有意义? I don't have clear idea of that.
我对此不清楚。
More clear question could be ,How can we secure get or post request exposed over web for the website which doesn't use any login ? 更明确的问题是,对于不使用任何登录信息的网站,我们如何确保通过Web公开的获取或发布请求?
If it's simple get request or post request , which will return you json data on specific input, now i have mobile website , who will access those data using get request or post request to fetch data. 如果这是简单的get request或post request,它将在特定输入上返回json数据,那么我现在拥有移动网站,该网站将使用get request或post request访问这些数据以获取数据。 Well, some else can also access it , problem is i am not using Login, user can access data directly.
好吧,其他人也可以访问它,问题是我没有使用登录名,用户可以直接访问数据。 But how can we restrict other people from accessing that data.
但是我们如何限制其他人访问该数据。
What do you think is the difference between securing a website that is not using REST vs one that is using REST API? 您认为保护不使用REST的网站与使用REST API的网站之间的区别是什么?
OAuth provides authorisation capabilities for your site, in a REST architecture this means a user of the mobile application will have to provide their credentials before being allowed to access the resource. OAuth在REST架构中为您的站点提供授权功能,这意味着移动应用程序的用户必须提供其凭据才能被允许访问该资源。 The application can then decide on if that user has access to the requested resource.
然后,应用程序可以确定该用户是否有权访问所请求的资源。 However you've said your website doesn't need use authorisation.
但是,您已经说过您的网站不需要使用授权。
You can use certificates however good luck managing the certificate for each client. 您可以使用证书,但是可以为每个客户端管理证书。 My take on it is for your explanation you don't need to secure your website because you will never be able to manage a trust relationship between the client and the server.
我的看法是为了您的解释,您无需保护网站,因为您将永远无法管理客户端与服务器之间的信任关系。 There are some options though:
但是有一些选择:
There are probably others but you get the basic idea. 可能还有其他人,但您了解基本概念。 Again in my opinion if your resource doesn't need authorisation then you don't need to secure that REST API.
我再次认为,如果您的资源不需要授权,则不需要保护该REST API。 Can I ask what kind of data are you exposing via this REST API or functionality your providing?
请问您通过此REST API或提供的功能公开了哪些数据? That might help provide a better answer.
这可能有助于提供更好的答案。
You want authorization: only some agents (mobile clients) and/or users should be allowed to access those APIs. 您需要授权:仅应允许某些代理(移动客户端)和/或用户访问这些API。
To solve that problem, you need identification: a way for the server to tell who is who (or what), so the right decision can be made. 要解决该问题,您需要标识:服务器识别谁是谁(或什么)的一种方法,以便可以做出正确的决定。
There are many different way to provide some form of identification, depending how much you care about security. 提供多种形式的身份验证的方式有很多,具体取决于您对安全性的重视程度。
The simplest is a user agent string, specific to your mobile clients. 最简单的是特定于您的移动客户端的用户代理字符串。 But it can be faked easily.
但是它很容易被伪造。 Slightly harder to fake are client based 'secrets' - embed some kind of secret or key in your mobile client code.
基于客户端的“秘密”稍微难于伪造-在您的移动客户端代码中嵌入某种秘密或密钥。 You can make it really complicated and secret, but as ramsinb pointed out, you can't get security this way as it would require you to be able to guarantee that the secret you're shipping with the client (wether it's code, algorithm or any other fancy construct) can't be compromised or reverse engineered.
您可以使其变得非常复杂和秘密,但是正如ramsinb所指出的那样,您无法以这种方式获得安全性,因为这将需要您能够保证与客户端一起提供的秘密(无论是代码,算法还是任何其他花哨的构造)都不会受到损害或进行反向工程。 Not happening when you don't control the client.
当您不控制客户端时,不会发生。
From there, 3 choices: 从那里,有3个选择:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.