This topic has been archived. It cannot be replied.
-
工作学习 / 科技领域杂谈 / 怎么做能提供RESTful的安全性?在企业级应用中,iOS和Java之间用RESTful通信,如果想提高安全性,用什么比较好?OAuth是不是一种选择?还有其他的吗?
-peter.zhang(peter);
2015-4-1
{111}
(#9357126@0)
-
提高安全性这个话题比较大,环节较多如果提到OAuth,那么主要是从身份鉴别、授权这些方面说的。对于安全性来说没有好处,因为引入了新的模块增加复杂度。但是对于客户来说能使用facebook账号登录而不用注册一个新的账号那是好事。
RESTFul这样的web api的安全性主要是用HTTPS来保证的。使用HTTPS能保证通讯链路的安全,防止篡改和窃取。
安全这个话题范围太广,先说这些吧。
-baozidi(rola);
2015-4-1
{319}
(#9357923@0)
-
能不能推荐一些资料和链接让我学习一下?
-peter.zhang(peter);
2015-4-2
(#9358632@0)
-
我看书不多,大部分是看blogs,
hack news 可以看看,一些最新的漏洞和想法比较及时。
《加密与解密》这部书是看雪论坛出品的,对我来说非常催眠。其实好好看看http协议和ssl就大概了解了网络中的鉴定,授权,校验等等思想了。应用到自己开发的软件中就好了。如果是系统架构设计的话,防火墙,入侵检测,蜜罐等等这些技术可能需要考虑一下,不一定用的上,不过可以增长自己的知识。
-baozidi(rola);
2015-4-2
{217}
(#9359871@0)
-
use OAuth 2, in short, you will need an authorization server and a resource server, everything must be under SSL. this is not a topic can be easily covered
-sowen(昂居居);
2015-4-4
{747}
(#9362332@0)
-
Why does API have to treat the token differently if the request is coming from web page ? All the request has to be treated as untrusted, unless you have an infrastructure which can tell the difference ...
-canliu(暗香);
2015-4-4
(#9362382@0)
-
the only difference is how long you want to refresh token. an native mobile app might not have to refresh so frequently to reduce the server load as opposed to other sources
-sowen(昂居居);
2015-4-4
(#9362398@0)
-
another reason is, imagine you are an admin, you need to know which token in the db belongs to which user requesting from which app so you know what to do with them...for api purpose
-sowen(昂居居);
2015-4-4
(#9362430@0)