使用 REST API 的多层 Web 应用程序的身份验证方案 [英] Authentication scheme for multi-tiered web application utilizing REST API

问题描述

我正在构建一个 Web 应用程序，其中两个主要组件是网站和后端 RESTful Web 服务.该网站将调用 RESTful Web 服务，该服务完成繁重的工作.我计划对两个层都使用 Spring Security.我想该网站将使用表单身份验证，而 RESTful API 将使用基本身份验证(通过 SSL).但是，我不确定如何向 REST API 提供身份验证凭据，因为该网站在初次登录后可能会有一个会话 cookie.任何人都可以提供一些有关将在此多层应用程序中工作的身份验证方案的指针吗?谢谢！

I am building a web application in which two of the major components are the website and a backend RESTful web service. The website will make calls to the RESTful web service which does the heavy lifting. I am planning to use Spring Security for both tiers. I imagine that the website will use form authentication and the RESTful API will use basic authentication (over SSL). However, I'm not sure how to provide authentication credentials to the REST API as the website will likely have a session cookie after the initial login. Can anyone provide some pointers on an authentication that scheme that will work in this multi-tiered application? Thanks!

我应该提到 REST API 也将被移动应用程序使用.

I should mention that the REST API will be consumed by a mobile application as well.

推荐答案

一种方法是使用 记住我 在网站和 REST 服务上.该网站会强制记住我(您可以设置到期时间和/或使其成为会话 cookie).然后为网站到 REST 服务请求复制该 cookie.移动到 REST 将使用已经存在的相同 cookie(假设它们在同一个 cookie 域中).

One way to do it is using Remember Me on the web site and the REST service. The web site would force remember me (you can set the expiration time and/or make it a session cookie). Then copy that cookie for the web site-to-REST service requests. The mobile to REST would use the same cookie that is already in place (assuming they are in the same cookie domain).

这篇关于使用 REST API 的多层 Web 应用程序的身份验证方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！