0

I have REST API and to make it more secure I would like restrict the access to the registered applications or websites only.

Now these client applications could be web app or mobile app under Android/Windows/BlackBerry/Apple etc.

Also I can't ask the client apps to modify there code to store any value being provided by my rest API to get registered. (as these apps may or may not be using database or other persistent media).

WCF REST API should not that the caller is registered with it or not.

Any suggestions how to do it.

4

1 回答 1

2

使用 HTTP 基本身份验证(只要您的 REST 服务在 HTTPS 下运行)是一种非常标准的方法。然后,您为要访问 API 的每个已注册应用程序生成登录名/密码。

[编辑:这里有更多细节:http ://en.wikipedia.org/wiki/Basic_access_authentication

基本上,当客户端连接时,他们需要对他们的用户名/密码进行 Base64 编码,并将其附加到标准 HTTP 授权标头中。您的服务器应用程序读取标头,解码并提取用户名/密码,并与您的授权应用程序列表进行检查。

注意 - 标头仅采用 base64 编码,因此用户名/密码实际上是纯文本。如果您想使用此身份验证方法,您真的应该运行 HTTPS,否则标头会被截获]

于 2013-07-27T16:05:28.420 回答