问题
I would like to put a web service, at the moment in a intranet of my company, on internet, to make partners able to access information provided by the web service. At the moment, web service is in a SOA, and I decided to move everything to RESTful web service, so in a web oriented architecture. I'm considering some security aspects I should take into account to do this operation.
I don't know which solution can be more useful in my case. I've already looked for HMAC, OAuth information, but I would like to know if is possibile to use OAuth, without introducing a third part.
For example, a partner want to sign in the web site, and then continue the navigation, is 2-legged OAuth useful for my needs? Are there other useful security solution to do this operation?
Really Thanks.
回答1:
Yes, OAuth supports a "2-legged" case; just omit the oauth_token parameter, and then use either HMAC-SHA1 (shared secret) or RSA-SHA1 (public key) as desired. It's worth noting that the signatures do not cover everything an API client might send; it doesn't cover the body of PUT requests or the body of POST requests that aren't form submissions.
You may want to investigate simply using HTTPS + Basic Auth, as this lets you leverage lots of off-the-shelf software (Apache or equivalent) without having to introduce signing libraries into your client and server.
来源:https://stackoverflow.com/questions/4239846/2-legged-oauth-and-rest