使用身份验证令牌的 Java REST 服务
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/13987165/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Java REST service using authentication token
提问by Spring
On my web app using Java EE 6. I want to expose some of my functionality as a Json Rest Service. I want to use authentication tokens for login, User will send their username, password and server will send back a token, which will be used to authorize the user on their further requests for a given time..
在我使用 Java EE 6 的 Web 应用程序上。我想将我的一些功能公开为 Json Rest 服务。我想使用身份验证令牌进行登录,用户将发送他们的用户名、密码,服务器将发回一个令牌,该令牌将用于授权用户在给定时间内的进一步请求。
A few questions bothering me so far;
到目前为止困扰我的几个问题;
When the server creates the token and sends to client, should server save it in a DB OR in a Bean using something like a hashtable as userid-token pairs?
Can I get some help using any Java EE specific API or this has to be all custom code?
当服务器创建令牌并发送给客户端时,服务器是否应该使用哈希表之类的东西作为用户 ID 令牌对将其保存在 DB 或 Bean 中?
我可以使用任何 Java EE 特定的 API 获得一些帮助吗,或者这必须是所有自定义代码?
采纳答案by cowls
Heres my input:
这是我的输入:
I would save the token in DB, in case you need to restart the server you don't want to lose all your user's tokens. You could potentially save it in memory as well to speed up requests and only look it up in DB if it is not found in memory.
I would accept the token in the header. I would put the rest service on HTTPS so the request is encrypted and then you don't need to worry about encrypting the token manually in the request
I would probably look at JAX-RS and see what features it offers
我会将令牌保存在数据库中,以防您需要重新启动服务器,而您不想丢失所有用户的令牌。您也可以将它保存在内存中以加快请求速度,如果在内存中找不到它,则仅在数据库中查找它。
我会接受标头中的令牌。我会将其余服务放在 HTTPS 上,以便对请求进行加密,然后您无需担心在请求中手动加密令牌
我可能会看看 JAX-RS,看看它提供了什么功能
回答by Iain Porter
I recently bloggedon how to set up Role-based authorization in a JAX-RS REST API using both a simple session token approach and a more secure method of signing requests using the session token as a shared secret.
我最近在博客中介绍了如何使用简单的会话令牌方法和使用会话令牌作为共享密钥签署请求的更安全方法在 JAX-RS REST API 中设置基于角色的授权。
It boils down to:
归结为:
- Get a session token from the server along with some identifier for the user
- Use the token to encrypt the information in the request
- Also use a timestamp and nonce value to prevent MITM attacks
- Never pass the session token back and forth except for when retrieving it initially
- Have an expiry policy on session tokens
- 从服务器获取会话令牌以及用户的一些标识符
- 使用令牌对请求中的信息进行加密
- 还使用时间戳和随机数值来防止 MITM 攻击
- 永远不要来回传递会话令牌,除非最初检索它
- 对会话令牌有到期政策
回答by Xetius
Saving the token in a bean or hash table would not be persistent. A DB would persist between executions.
将令牌保存在 bean 或哈希表中不会是持久的。DB 将在执行之间持续存在。
If you are going to be using REST then you can either pass the authentication in the parameters to the method, or in the request header itself. Encryption is a different matter. I guess it depends on the scale of the system, and how open it is. If security is a top importance, then yes, you should find some form of encryption.
如果您打算使用 REST,那么您可以将参数中的身份验证传递给方法,也可以传递到请求标头本身中。加密是另一回事。我想这取决于系统的规模,以及它的开放程度。如果安全是最重要的,那么是的,您应该找到某种形式的加密。
I have done similar things using the Spring Framework, and Spring Security. These things are relatively simple using this. To write custom code is to reinvent the wheel. There are many frameworks out there which will help you. However, you would then have the learning curve of the framework.
我使用Spring Framework和Spring Security做了类似的事情。这些东西用这个就比较简单了。编写自定义代码就是重新发明轮子。有很多框架可以帮助你。但是,您将获得该框架的学习曲线。
