{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Rolldiameter 的问题《How to allow access to API only for own pages?》','https://www.manongdao.com/q-831188.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm developing Spring Boot web application, that provides REST API. Most of my pages(thymeleaf templates) use this API to communicate with back-end(using AJAX requests). I have read about different approaches such as Basic Authentication, OAuth2 etc. These approaches describe user authentication, after which users can access API. But i don't want users to directly communicate with my API, using browser or REST client(i.e. postman chrome extension, that has access to browser's cookies, where access tokens are usually stored).
I have something like this:
(1) User --> (2) MyOwnPages --> (3) RestAPI.
Is there a way to prevent direct communication 1-3 ?
Can i somehow determine that request was made from my pages(i.e. add to each request some sort of access token)? Are there any best practices?
Thanks!
相关问题
- Design RESTful service with multiple ids
- Axios OPTIONS instead of POST Request. Express Res
- Plain (non-HTML) error pages in REST api
- Laravel 5.1 MethodNotAllowedHttpException on store
- Google places autocomplete suggestion without coun
相关文章
- 我用scrapy写了一个蛮简单的爬虫怎么封装成一个api啊
- 后端给前端的API接口是怎么用代码写的
- How to load @Configuration classes from separate J
- Using Spring Dynamic Languages Support from Groovy
- Convert C# Object to Json Object
- Spring JMS : Set ErrorHandler for @JmsListener ann
- Securing REST endpoint using spring security
- Android camera2 API get focus distance in AF mode
No, it's completely impossible. You could add tokens to make it harder, generate things in Javascript, etc, etc, but all that would do is make your page slower and more likely to crash.
The flow is not:
But rather:
And since it's the browser that's making the call to your API, there's no sensible way to tell the difference between that, cURL, Postman, etc. Anything you can do, the user can put, say, Wireshark in the way to see exactly what is being sent, and from that they can do whatever the browser is doing.
It would be more helpful to understand exactly why you want to do this, as there is likely to be a better solution for whatever your end goal is.