发表新帖
发表新帖

How to protect RESTful API

前端 未结
关注
4 1848
心在旅途
心在旅途 2020-12-14 19:30

I have been looking for a way to protect my RESTful APIs. This appeared simple, but it seems to not be so simple. First off, I am writing an iOS app connecting to a Play Fra

相关标签:
4条回答
  • 被撕碎了的回忆
    2020-12-14 19:30

    So the only problem with the Basic Authentication approach was that the user has to login every day? Why not offer the user an option to save his username/password on the device? That way he can choose between security and convenience.

    0 讨论(0)
  • 不思量自难忘°
    2020-12-14 19:35

    Since Play Framework is in Java, you could use Apache Shiro

    I haven't used it yet.. (I am planning to though) So I don't know if it's the best option.

    0 讨论(0)
  • 南方客
    2020-12-14 19:48

    I'd suggest to consider approach used by biggest players i.e. Amazon Web Services or Windows Azure - HMAC. Although it isn't comfortable in implementation, as you can see it's trusted technique.

    The general idea is to sign the request's parts (i.e. headers) in the iOS with secret key and try to recalculate it on the Play app to verify that request is authentic and not manipulated. If it won't fail, you can be (almost) sure, that was sent from somebody, who uses valid secret key.

    Take a look into Windows' document to get the concept (I think that for common task, you can use the less number of elements used for signing).

    There is also other interesting post (based on AWS authentication) which describes whole process even better.

    Edit

    Of course you should realize that authentication in iOS and securing API requests are different things, even if you'll expire your session every 15 minutes, you can't be sure that somebody won't overhear it and then will be able to send a fake request from the outside. Signing every request should minimize the risk.

    On the other hand, if you'll prepare clear rules for signing the requests and will write short doc (which I recommend even for yourself), you can deliver it to the other developer and he'll be able to implement it in (almost) any platform supporting SHA256, so you will have API ready for using from 3-rd party apps - if you'll decide to publish it in the future.

    0 讨论(0)
  • 深忆病人
    2020-12-14 19:55

    Just do something simple, send the authorization code / password in a custom header over HTTPS .

    0 讨论(0)
 看不清?
提交回复
热议问题