如何在RESTful Web服务中实现登录? [英] How do I implement login in a RESTful web service?

问题描述

我正在构建带有服务层的Web应用程序.服务层将使用RESTful设计构建.这种想法是，在将来的某个时候，我们可能会构建使用与Web应用程序相同的服务层的其他应用程序(iPhone，Android等).我的问题是-如何实现登录?我认为我无法从更传统的基于动词的设计过渡到基于资源的设计.如果我使用SOAP构建它，则可能会有一个称为Login的方法.在REST中，我应该有一个资源.我很难理解如何为登录构建URI.应该是这样的:

I am building a web application with a services layer. The services layer is going to be built using a RESTful design. The thinking is that some time in the future we may build other applications (iPhone, Android, etc.) that use the same services layer as the web application. My question is this - how do I implement login? I think I am having trouble moving from a more traditional verb based design to a resource based design. If I was building this with SOAP I would probably have a method called Login. In REST I should have a resource. I am having difficulty understanding how I should construct my URI for a login. Should it be something like this:

http://myservice/ {用户名}?p = {密码}

http://myservice/{username}?p={password}

前端Web应用程序使用传统的ASP.NET框架进行身份验证.但是，在身份验证过程中的某个时刻，我需要验证提供的凭据.在传统的Web应用程序中，我将进行数据库查找.但是在这种情况下，我将调用服务而不是进行数据库查找.因此，我在服务中需要一些可以验证提供的凭据的东西.而且，除了验证提供的凭据外，在用户成功通过身份验证后，我可能还需要有关用户的某种信息-例如其全名，其ID等.我希望这可以使问题更清楚.

The front end web application uses the traditional ASP.NET framework for authentication. However at some point in the authentication process I need to validate the supplied credentials. In a traditional web application I would do a database lookup. But in this scenario I am calling a service instead of doing a database lookup. So I need something in the service that will validate the supplied credentials. And in addition to validating the supplied credentials I probably also need some sort of information about the user after they have successfully authenticated - things like their full name, their ID, etc. I hope this makes the question clearer.

或者我不是在考虑正确的方法吗?我觉得我很难正确地描述我的问题.

Or am I not thinking about this the right way? I feel like I am having difficulty describing my question correctly.

科里

推荐答案

正如S.Lott所指出的，我们在这里有两方面的内容:登录和身份验证

As S.Lott pointed out already, we have a two folded things here: Login and authentication

这里不进行身份验证，因为对此进行了广泛的讨论并且存在共识.但是，对于RESTful Web服务成功地对客户端进行身份验证，我们实际上需要什么呢?是的，某种令牌，我们称它为访问令牌.

Authentication is out-of-scope here, as this is widely discussed and there is common agreement. However, what do we actually need for a client successfully authenticate itself against a RESTful web service? Right, some kind of token, let's call it access-token.

客户端)那么，我所需要的只是一个访问令牌，但是如何获得这种RESTful?
服务器)为什么不简单地创建它?
客户)怎么了?
服务器)对我来说，访问令牌只不过是一种资源.因此，我将为您创建一个，以换取您的用户名和密码.

Client) So, all I need is an access-token, but how to get such RESTfully?
Server) Why not simply creating it?
Client) How comes?
Server) For me an access-token is nothing else than a resource. Thus, I'll create one for you in exchange for your username and password.

因此，服务器可以提供资源URL"/accesstokens"，以便将用户名和密码发布到该URL，并将链接返回到新创建的资源"/accesstokens/{accesstoken}". 或者，您返回包含访问令牌和带有资源链接的href的文档:

Thus, the server could offer the resource URL "/accesstokens", for POSTing the username and password to, returning the link to the newly created resource "/accesstokens/{accesstoken}". Alternatively, you return a document containing the access-token and a href with the resource's link:

<access-token
  id="{access token id goes here; e.g. GUID}"
  href="/accesstokens/{id}"
/>

很可能您实际上没有将访问令牌创建为子资源，因此不会在响应中包含其href.
但是，如果您这样做，客户端可以代表它生成链接吗?不！
请记住，真正的RESTful Web服务将资源链接在一起，使客户端可以自行导航而无需生成任何资源链接.

Most probably, you don't actually create the access-token as a subresource and thus, won't include its href in the response.
However, if you do so, the client could generate the link on its behalf or not? No!
Remember, truly RESTful web services link resources together in a way that the client can navigate itself without the need for generating any resource links.

您可能要问的最后一个问题是，您是否应该将用户名和密码以HTML表单或文档的形式发布，例如XML或JSON-这取决于...:-)

The final question you probably have is if you should POST the username and password as a HTML form or as a document, e.g. XML or JSON - it depends... :-)

这篇关于如何在RESTful Web服务中实现登录?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！