我正在使用java的云端点v2。我的问题是,任何人都可以通过API Explorer或直接从某个人知道的URL访问这些端点方法。我想保护我的端点。我阅读了如何使用应用编程接口密钥来限制整个API或某些方法的文档。Restricting API Access with API Keys
这就是我正在尝试的。
@Api(
name = "zeem",
version = "v1"
)
public class Account {
@ApiMethod(name = "getRegistration", path = "getRegistration", apiKeyRequired = AnnotationBoolean.TRUE)
public Registered getRegistration(@Named("phone") Long phone){
// code ....
}
我可以在没有任何API密钥的情况下运行这个方法,并且它正在成功地工作。
即使我试着直接从url访问这个方法,它也是有效的。
http://localhost:8080/_ah/api/zeem/v1/getRegistration?phone=123 // Successfully getting response
你能告诉我我做错了什么吗?有什么是我错过的吗?
更新- OpenAPI文档
是的,我在这里添加了API管理,这个函数的openapi.json
是什么样子的。
"/zeem/v1/getRegistration": {
"get": {
"operationId": "ZeemGetRegistration",
"parameters": [
{
"name": "phone",
"in": "query",
"required": true,
"type": "integer",
"format": "int64"
}
],
"responses": {
"200": {
"description": "A successful response",
"schema": {
"$ref": "#/definitions/Registered"
}
}
},
"security": [
{
"api_key": [ ]
}
]
}
},
下面是控制台的样子。
我错过了什么?
更新: Web.xml
<?xml version="1.0" encoding="utf-8"?>
<!-- [START_EXCLUDE] -->
<!--
Copyright 2016 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- [END_EXCLUDE] -->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<welcome-file-list>
<welcome-file>welcome</welcome-file>
</welcome-file-list>
<!-- OBJECTIFY -->
<filter>
<filter-name>ObjectifyFilter</filter-name>
<filter-class>com.googlecode.objectify.ObjectifyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ObjectifyFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ENDPOINTS -->
<servlet>
<servlet-name>EndpointsServlet</servlet-name>
<servlet-class>com.google.api.server.spi.EndpointsServlet</servlet-class>
<init-param>
<param-name>services</param-name>
<param-value>
org.octabyte.zeem.API.Account,
org.octabyte.zeem.API.CommentApi,
org.octabyte.zeem.API.FriendApi,
org.octabyte.zeem.API.ListApi,
org.octabyte.zeem.API.PostApi,
org.octabyte.zeem.API.SearchApi,
org.octabyte.zeem.API.UserApi,
org.octabyte.zeem.API.StoryApi
</param-value>
</init-param>
</servlet>
<!-- Route API method requests to the backend. -->
<servlet-mapping>
<servlet-name>EndpointsServlet</servlet-name>
<url-pattern>/_ah/api/*</url-pattern>
</servlet-mapping>
<!-- Security -->
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>
发布于 2018-08-26 04:15:26
对什么是API密钥访问限制存在误解。API key restriction用于限制密钥有权访问的API,它不以任何形式或形式处理用户的身份验证。
有几种方法可以对端点的用户进行身份验证,例如,您可以使用API management,也可以考虑使用OpenAPI。
https://stackoverflow.com/questions/52005671
复制相似问题