问题
I see the following link that explains how rest api needs to be secured. (Using public key and a HMAC(hash) of request parameters and private key).
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
I also see this link in stackoverflow which talks about rest api security using spring
combining spring security 3 with jersey rest api
I see this link in oracle weblogic website that talks about restful api security using web.xml or security context etc
http://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm
Are these approaches distinct or related? I also couldn't find any code that actually does handshake etc. I am totally confused. Please help.
回答1:
Second and third approaches are related in that they secure the web context for certain users, groups or roles.
First approach talks about encrypting URL parameters so that sensitive request parameters sent through GET method are protected.
Both of the above are independent and are needed for different reasons. (message level security vs access control).
来源:https://stackoverflow.com/questions/11024210/jersey-rest-api-security