×

Loading...
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务

@

use OAuth 2, in short, you will need an authorization server and a resource server, everything must be under SSL. this is not a topic can be easily covered

if you are designing an API, which allows iOS native application to communicate, you need a token refreshing mechanism, because you don't want keep asking iOS user to enter user name and password every time using your app. you just want them to send a refresh token to re-authenticate, and the token is generated from your own trusted source...

while if the API is supporting web page at the same time, your token generator needs to know which application is sending the request, so you need to generate a different logic to handle...

it sounds complicated, right? because it is, if this world is full of nice people, we won't even have such a problem.

because there are a lot of different implementations, you have to dig on your own.
Report

Replies, comments and Discussions:

  • 工作学习 / 科技领域杂谈 / 怎么做能提供RESTful的安全性?
    在企业级应用中,iOS和Java之间用RESTful通信,如果想提高安全性,用什么比较好?OAuth是不是一种选择?还有其他的吗?
    • 提高安全性这个话题比较大,环节较多
      如果提到OAuth,那么主要是从身份鉴别、授权这些方面说的。对于安全性来说没有好处,因为引入了新的模块增加复杂度。但是对于客户来说能使用facebook账号登录而不用注册一个新的账号那是好事。

      RESTFul这样的web api的安全性主要是用HTTPS来保证的。使用HTTPS能保证通讯链路的安全,防止篡改和窃取。

      安全这个话题范围太广,先说这些吧。
      • 能不能推荐一些资料和链接让我学习一下?
        • 我看书不多,大部分是看blogs, hack news 可以看看,一些最新的漏洞和想法比较及时。 《加密与解密》这部书是看雪论坛出品的,对我来说非常催眠。
          其实好好看看http协议和ssl就大概了解了网络中的鉴定,授权,校验等等思想了。应用到自己开发的软件中就好了。如果是系统架构设计的话,防火墙,入侵检测,蜜罐等等这些技术可能需要考虑一下,不一定用的上,不过可以增长自己的知识。
    • use OAuth 2, in short, you will need an authorization server and a resource server, everything must be under SSL. this is not a topic can be easily covered
      if you are designing an API, which allows iOS native application to communicate, you need a token refreshing mechanism, because you don't want keep asking iOS user to enter user name and password every time using your app. you just want them to send a refresh token to re-authenticate, and the token is generated from your own trusted source...

      while if the API is supporting web page at the same time, your token generator needs to know which application is sending the request, so you need to generate a different logic to handle...

      it sounds complicated, right? because it is, if this world is full of nice people, we won't even have such a problem.

      because there are a lot of different implementations, you have to dig on your own.
      • Why does API have to treat the token differently if the request is coming from web page ? All the request has to be treated as untrusted, unless you have an infrastructure which can tell the difference ...
        • the only difference is how long you want to refresh token. an native mobile app might not have to refresh so frequently to reduce the server load as opposed to other sources
        • another reason is, imagine you are an admin, you need to know which token in the db belongs to which user requesting from which app so you know what to do with them...for api purpose