适用于第三方客户(AAA)的REST API
[英]rest api for 3rd party customers (AAA)
问题描述
I am currently working on a REST/JSON API that has to provide some services through remote websites. 
我目前正在研究REST / JSON API,该API必须通过远程网站提供一些服务。 I do not know the end-customers of these websites and they would/should not have an account on the API server. 我不知道这些网站的最终客户,他们将/不应该在API服务器上拥有一个帐户。 The only accounts existent on the API server would be the accounts identifying the websites. API服务器上唯一存在的帐户将是标识网站的帐户。 Since this is all RESTful and therefore all communication would be between end-user browser (through javascript/JSON) and my REST API service, how can I make sure that the system won't be abused by 3rd parties interested in increasing the middleman's bill? 由于所有这些都是RESTful的,因此所有通信都将在最终用户浏览器(通过javascript / JSON)和我的REST API服务之间进行,我如何确保该系统不会被有兴趣提高中间人账单的第三方滥用? (where the middleman is the owner of the website reselling my services). (中间商是转售我的服务的网站的所有者)。 What authentication methods would you recommend that would work and would prevent users from just taking the js code from the website and call it 1000000 times just to bankrupt the website owner? 您会建议哪种身份验证方法行得通,并且可以防止用户仅从网站上获取js代码并将其称为1000000次,以使网站所有者破产? I was thinking of using the HTTP_REFERER , and translate that to IP address (to find out which server is hosting the code, and authenticate based on this IP), but I presume the HTTP_REFERER can easily be spoofed. 我当时在考虑使用HTTP_REFERER并将其转换为IP地址(以找出托管该代码的服务器,并根据该IP进行身份验证),但是我认为HTTP_REFERER可以很容易地被欺骗。 I'm not looking for my customer's end customers to register on the API server, this would defeat the purpose of this API. 我不是在寻找我的客户的最终客户在API服务器上注册,这会违背该API的目的。
Some ideas please? 有什么想法吗?
Thanks, Dan 谢谢,丹
1 个解决方案
解决方案1
0 2013-02-01 19:53:15
This might not be an option for you, but what I've done before in this case is to make a proxy on top of the REST calls. 这可能不是您的选择,但是在这种情况下,我之前所做的就是在REST调用之上创建代理。 The website calls its own internal service and then that service calls your REST calls. 该网站调用其自己的内部服务,然后该服务调用您的REST调用。 The advantage is that, like you said, no one can hit your REST calls directly or try to spoof calls. 好处是,就像您所说的那样,没有人可以直接打REST呼叫或尝试欺骗呼叫。
Failing that, you could implement an authentication scheme like HMAC ( http://en.wikipedia.org/wiki/Hash-based_message_authentication_code ). 如果失败,则可以实现类似HMAC的身份验证方案( http://en.wikipedia.org/wiki/Hash-based_message_authentication_code )。 I've seen a lot of APIs use this. 我已经看到很多API使用此方法。
Using HMAC-SHA1 for API authentication - how to store the client password securely? 使用HMAC-SHA1进行API身份验证-如何安全存储客户端密码?
Here is what Java code might look like to authenticate: http://support.ooyala.com/developers/documentation/api/signature_java.html 验证Java代码的方式如下: http : //support.ooyala.com/developers/documentation/api/signature_java.html
Either way I think you'll have to do some work server side. 无论哪种方式,我认为您都必须在服务器端做一些工作。 Otherwise people might be able to reverse engineer the API if everything is purely client side. 否则,如果一切都纯粹是客户端,人们可能可以对API进行反向工程。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.