Protect RESTful webservice URL

2018-06-07 03:28:49

This question already has an answer here:

RESTful Authentication 13 answers

From the server's point of view there is no difference between answering a restful service request and answering a page request.

Thus you can use exactly the same mechanisms.

This is valid whatever way the rest service is requested : from an application, from Angular, etc

Concrete example

The most common is to use a login with password authentication, which provides a cookie to user, which is sent together with the request when that request is later issed.

In order to do that you can have a restful API endpoint such as 'login' which will be called by specifying username and password.

It could look like this :

https://yoursite.com/api/login?user=xxx&pwd=xxx

Your server would then check whether username and password are correct, and if so simply answer an almost empty message, but with the following header included:

Set-Cookie: session=yyyyyyyyyy

Later on, your users can query your restful service normally, the cookie will be automatically added to their requests. Your server will be able to check if the session id is valid, and if not deny the resource.

链接地址: http://www.djcxy.com/p/21952.html

上一篇: 如何使用node.js实现安全的REST API

下一篇: 保护REST风格的Web服务网址