ReSTful Web 服务真的是我的情况的答案吗?
想知道 ReSTful Web 服务是否真的是我的企业应用程序案例的答案,其中存在一些安全问题,例如避免中间人攻击、确保可信客户端正在连接、客户端确保它确实正在与真实服务器等。HTTPS
是解决方案吗?尽管我在 IT/应用程序安全方面的背景不太强,但我已经阅读了一些关于其充分性和适用性的担忧,但不太明白为什么会这样!
我看到 ReST 被谈论(/热捧),并被视为“The-thing”,并且确实看到它的采用率在上升,但似乎无法理解为什么安全问题不是一个大问题,如果它是一个大问题的话,对此可以采取什么措施。
Wondering if ReSTful webservice is really the answer in my case of Enterprise application where there are some security concerns such as avoiding man-in-the-middle attacks, ensuring that a trusted client is connecting, client being sure that it is indeed talking to the real server etc.
Is HTTPS the solution? Have read some concerns being raised about its adequacy and fitment, although with a not-so-strong background in IT/application security, don't quite understand, why so!
I see ReST being talked (/ raved) about, and being projected as The-thing, and do see its adoption picking up, by can't seem to understand why the security thing isn't such a big concern, and if it is, what can be done about it.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您真的很想保护您的服务并避免中间人攻击,您应该向您的客户端颁发证书,并且只接受使用这些证书签名的请求。这对您和您的客户来说都是更多的工作,但在企业环境中,额外的努力可能是值得的。这绝对是一个值得研究的选择。
If you are really serious about securing your service and avoiding man-in-the-middle attacks you should issue certificates to your clients and only accept requests that are signed with those certificates. It is more work for you and for your clients, but in an Enterprise setting, the extra effort may be worth it. It is definitely an option that is worth looking into.
开箱即用时,您不会拥有任何类型的消息级安全性,并且需要利用 HTTPS 来实现传输级安全性。
我见过人们尝试使用签名的原子提要,但它与 SOAP 附带的 WS-* 堆栈级别无关。
Out of the box you are not going to have any type of message level security, and you would need to leverage HTTPS to do transport level security.
I have seen people attempt to use signed atom feeds, but its nothing to the level of the WS-* stack that comes with SOAP.