ASP.NET MVC 框架“类似 REST” 应用程序编程接口
我开发了一个“类似 REST”的 XML API,我希望将其公开以供第三方 Web 应用程序使用。 我现在正在寻求实现一个安全模型,用于在第三方应用程序和“类似 REST”的 XML API 之间交换数据。 我希望得到有关合适的非对称加密模型的建议。
I have developed a 'REST-like' XML API that I wish to expose for consumption by third-party web applications. I'm now looking to implement a security model for the exchange of data between a third-party application and the 'REST-like' XML API. I would appreciate suggestions for a suitable asymmetric encryption model.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果您想要加密,为什么不只使用 SSL 来加密连接而不是加密响应数据呢? 如果 128 位 SSL 还不够,那么您需要使用外部可信机构集成一些现有的 PKI 基础设施,或者自行开发密钥分发/共享基础设施,并将您的公钥和合适的私钥/标识符颁发给您的 API 消费者。 在 System.Security.Cryptography 中选择支持公钥/私钥交换的加密提供程序之一。
If you want encryption why not just use SSL to encrypt the connection rather than encrypting the response data? If 128-bit SSL isn't sufficient, then you'll either need to integrate some existing PKI infrastructure using an external, trusted authority or develop a key distribution/sharing infrastructure yourself and issue your public key and a suitable private key/identifier to your API consumers. Choose one of the cryptography providers in System.Security.Cryptography that supports public/private key exchange.
HTTPS 使用非对称密钥加密。 这是众所周知的易于实现的协议。
它可以防止您的通信受到 3p 入侵。
您需要在“下面”实现的是身份验证 - 以确保您知道您的用户。
常见的做法是为用户提供每个请求都需要发送的密钥。
HTTPS works with asymmetric key encryption. It is well-known protocol easy to implement.
It protects against 3p intrusion in your communication.
All you need to implement "below" is authentication - to make sure your user known to you.
Common thing to do is to provide users with key that needs to be sent with every request.
最常见的是实施 OAuth 协议。 这是用于 OpenSocial 提供商使用 2 足和/或 3 足 oAuth 检查授权的内容。
只需进行一些 google 搜索,您就会发现很多实现。
Most common is to implement the OAuth protocol. This is what is used for the OpenSocial providers that checks authorization with 2-legged and/or 3-legged oAuth
Just do some google search and you will find a lot of implementations.