使用MVC为iPhone应用程序构建RESTful API - 如何保护它?

时间:2023-01-12 23:49:36

I'm going to be writing the services for an iPhone app being built by a third party vendor.

我将为第三方供应商制作的iPhone应用程序编写服务。

I'll be using ASP.NET MVC to accept posts and also return JSON formatted data.

我将使用ASP.NET MVC接受帖子并返回JSON格式的数据。

My question is, how do you secure it?

我的问题是,你如何保障它?

Just using an API key perhaps? Would that be enough to ensure that only data from the iPhone apps are allowed to hit the specified services?

或许只使用API​​密钥?这足以确保只允许iPhone应用程序中的数据到达指定的服务吗?

2 个解决方案

#1


5  

I'm sort of struggling with the same concepts myself. I think the first thing is to do HTTPS only, so that it's starting out more secure than not.

我自己也在挣扎着相同的概念。我认为第一件事只是做HTTPS,所以它开始时更安全。

Next, it depends on how you're going to do authentication. If all you need is an API key, (to track which entity is accessing the data) that should be fine. If you also want to track user information, you'll need some way to associate that specific API keys can access specific types of records, based on a join somewhere.

接下来,这取决于您将如何进行身份验证。如果您只需要一个API密钥,(以跟踪访问数据的实体)应该没问题。如果您还想跟踪用户信息,则需要一些方法来关联特定API密钥可以根据某处的连接访问特定类型的记录。

I'm looking at doing forms auth on my app, and using an auth cookie. Fortunately ASP.NET on IIS can do a lot of that heavy lifting for you.

我正在寻找在我的应用上进行表单身份验证,并使用身份验证cookie。幸运的是,IIS上的ASP.NET可以为您做很多繁重的工作。


Example time: (I'm sure I'll need to add more to this, but while I'm at work it gives something to gnaw on)

示例时间:(我确定我需要为此添加更多内容,但是当我在工作时它会提供一些东西可以啃)

Forms auth: Send a pair (or more) of fields in a form body. This is POST through and through. There's no amount of non-reversible hashing that can make this secure. To secure it you must either always be behind a firewall from all intruding eyes (yeah right) or you must be over HTTPS. Simple enough.

表单身份验证:在表单正文中发送一对(或多个)字段。这是POST贯穿始终。没有任何不可逆的散列可以使这种安全。为了保护它,您必须始终在所有入侵眼睛的防火墙后面(是的)或者您必须通过HTTPS。很简单。

Basic auth: Send a base64 encoded string of "username:password" over the wire as part of the header. Note that base64 is to secure as a screen door is to a submarine. You do not want it to be unsecured. HTTPS is required.

基本身份验证:作为标题的一部分,通过线路发送base64编码的“用户名:密码”字符串。请注意,base64是为了安全,因为屏幕门是潜艇。你不希望它是不安全的。 HTTPS是必需的。

API key: This says that an app is supposedly XYZ. This should be private. This has nothing to do with users. Preferably is that at the time that the API key is requested, a public key is shared with the API grantor, allowing the API key to be encoded on transit, thus ensuring that it stays private but still proves the source as who they are. This can get complicated, but because there is an application process and because it won't change from the vendor, this can be done over HTTP. This does not mean per-user, this means per-developing-company-that-uses-your-api.

API密钥:这表示应用程序应该是XYZ。这应该是私人的。这与用户无关。优选地,在请求API密钥时,与API授权者共享公钥,允许API密钥在传输时被编码,从而确保它保持私有但仍然证明源是谁。这可能会变得复杂,但由于存在应用程序进程,并且因为它不会从供应商更改,因此可以通过HTTP完成。这并不意味着每个用户,这意味着每个开发公司 - 使用你的api。

So what you want to have happen is that for the app accessing your data, that you want to make sure it's an authorized app, you can do negotiation using private keys for signing at runtime. This ensures that you're talking to the app you want to talk to. But remember, this does not mean that the user is who they say they are.

所以你想要发生的是,对于访问你的数据的应用程序,你想确保它是一个授权的应用程序,你可以使用私钥进行协商,以便在运行时进行签名。这可确保您与要与之交谈的应用进行通话。但请记住,这并不意味着用户就是他们所说的人。

HOWEVER.

What you can do is you can use the API key and the associated public/private keys to encode the username and password information for sending them over the wire using HTTP. This is very similar to how HTTPS works but you're only encrypting the sensitive part of the message.

你可以做的是你可以使用API​​密钥和相关的公钥/私钥来编码用户名和密码信息,以便使用HTTP通过网络发送它们。这与HTTPS的工作方式非常相似,但您只是加密了邮件的敏感部分。

But to let a user track their information, you're going to have to assign a token based on login based on a user. So let them login, send the data over the wire using the appropriate system, then return some unique identifier that represents the user back to the app. Let the app then send that information every time that you are doing user specific tasks. (generally all the time).

但是,为了让用户跟踪他们的信息,您将不得不根据用户的登录分配令牌。因此,让他们登录,使用适当的系统通过网络发送数据,然后返回一些代表用户的唯一标识符返回给应用程序。然后让应用程序在您每次执行用户特定任务时发送该信息。 (通常一直)。

The way you send it over the wire is you tell the client to set a cookie, and all the httpClient implementations I've ever seen know that when they make a request to the server, they send back all cookies the server has ever set that are still valid. It just happens for you. So you set a cookie on your response on the server that contains whatever information you need to communicate with the client by.

你通过网络发送它的方式是告诉客户端设置一个cookie,我所见过的所有httpClient实现都知道当他们向服务器发出请求时,他们会发回服务器设置的所有cookie。仍然有效。它恰好发生在你身上。因此,您在服务器上的响应中设置了一个cookie,其中包含与客户端通信所需的任何信息。


HTH, ask me more questions so we can refine this further.

HTH,问我更多问题,以便我们进一步完善。

#2


2  

One option would be to use forms authentication and use the authentication cookie. Also, make sure all the service calls are being sent over SSL.

一种选择是使用表单身份验证并使用身份验证cookie。此外,请确保通过SSL发送所有服务调用。

#1


5  

I'm sort of struggling with the same concepts myself. I think the first thing is to do HTTPS only, so that it's starting out more secure than not.

我自己也在挣扎着相同的概念。我认为第一件事只是做HTTPS,所以它开始时更安全。

Next, it depends on how you're going to do authentication. If all you need is an API key, (to track which entity is accessing the data) that should be fine. If you also want to track user information, you'll need some way to associate that specific API keys can access specific types of records, based on a join somewhere.

接下来,这取决于您将如何进行身份验证。如果您只需要一个API密钥,(以跟踪访问数据的实体)应该没问题。如果您还想跟踪用户信息,则需要一些方法来关联特定API密钥可以根据某处的连接访问特定类型的记录。

I'm looking at doing forms auth on my app, and using an auth cookie. Fortunately ASP.NET on IIS can do a lot of that heavy lifting for you.

我正在寻找在我的应用上进行表单身份验证,并使用身份验证cookie。幸运的是,IIS上的ASP.NET可以为您做很多繁重的工作。


Example time: (I'm sure I'll need to add more to this, but while I'm at work it gives something to gnaw on)

示例时间:(我确定我需要为此添加更多内容,但是当我在工作时它会提供一些东西可以啃)

Forms auth: Send a pair (or more) of fields in a form body. This is POST through and through. There's no amount of non-reversible hashing that can make this secure. To secure it you must either always be behind a firewall from all intruding eyes (yeah right) or you must be over HTTPS. Simple enough.

表单身份验证:在表单正文中发送一对(或多个)字段。这是POST贯穿始终。没有任何不可逆的散列可以使这种安全。为了保护它,您必须始终在所有入侵眼睛的防火墙后面(是的)或者您必须通过HTTPS。很简单。

Basic auth: Send a base64 encoded string of "username:password" over the wire as part of the header. Note that base64 is to secure as a screen door is to a submarine. You do not want it to be unsecured. HTTPS is required.

基本身份验证:作为标题的一部分,通过线路发送base64编码的“用户名:密码”字符串。请注意,base64是为了安全,因为屏幕门是潜艇。你不希望它是不安全的。 HTTPS是必需的。

API key: This says that an app is supposedly XYZ. This should be private. This has nothing to do with users. Preferably is that at the time that the API key is requested, a public key is shared with the API grantor, allowing the API key to be encoded on transit, thus ensuring that it stays private but still proves the source as who they are. This can get complicated, but because there is an application process and because it won't change from the vendor, this can be done over HTTP. This does not mean per-user, this means per-developing-company-that-uses-your-api.

API密钥:这表示应用程序应该是XYZ。这应该是私人的。这与用户无关。优选地,在请求API密钥时,与API授权者共享公钥,允许API密钥在传输时被编码,从而确保它保持私有但仍然证明源是谁。这可能会变得复杂,但由于存在应用程序进程,并且因为它不会从供应商更改,因此可以通过HTTP完成。这并不意味着每个用户,这意味着每个开发公司 - 使用你的api。

So what you want to have happen is that for the app accessing your data, that you want to make sure it's an authorized app, you can do negotiation using private keys for signing at runtime. This ensures that you're talking to the app you want to talk to. But remember, this does not mean that the user is who they say they are.

所以你想要发生的是,对于访问你的数据的应用程序,你想确保它是一个授权的应用程序,你可以使用私钥进行协商,以便在运行时进行签名。这可确保您与要与之交谈的应用进行通话。但请记住,这并不意味着用户就是他们所说的人。

HOWEVER.

What you can do is you can use the API key and the associated public/private keys to encode the username and password information for sending them over the wire using HTTP. This is very similar to how HTTPS works but you're only encrypting the sensitive part of the message.

你可以做的是你可以使用API​​密钥和相关的公钥/私钥来编码用户名和密码信息,以便使用HTTP通过网络发送它们。这与HTTPS的工作方式非常相似,但您只是加密了邮件的敏感部分。

But to let a user track their information, you're going to have to assign a token based on login based on a user. So let them login, send the data over the wire using the appropriate system, then return some unique identifier that represents the user back to the app. Let the app then send that information every time that you are doing user specific tasks. (generally all the time).

但是,为了让用户跟踪他们的信息,您将不得不根据用户的登录分配令牌。因此,让他们登录,使用适当的系统通过网络发送数据,然后返回一些代表用户的唯一标识符返回给应用程序。然后让应用程序在您每次执行用户特定任务时发送该信息。 (通常一直)。

The way you send it over the wire is you tell the client to set a cookie, and all the httpClient implementations I've ever seen know that when they make a request to the server, they send back all cookies the server has ever set that are still valid. It just happens for you. So you set a cookie on your response on the server that contains whatever information you need to communicate with the client by.

你通过网络发送它的方式是告诉客户端设置一个cookie,我所见过的所有httpClient实现都知道当他们向服务器发出请求时,他们会发回服务器设置的所有cookie。仍然有效。它恰好发生在你身上。因此,您在服务器上的响应中设置了一个cookie,其中包含与客户端通信所需的任何信息。


HTH, ask me more questions so we can refine this further.

HTH,问我更多问题,以便我们进一步完善。

#2


2  

One option would be to use forms authentication and use the authentication cookie. Also, make sure all the service calls are being sent over SSL.

一种选择是使用表单身份验证并使用身份验证cookie。此外,请确保通过SSL发送所有服务调用。