如何从REST服务的用户进行身份验证 [英] How to authenticate users from a rest service

问题描述

我想用一个REST服务，我用一滴向导生成验证用户身份。从previous问题，我发现在GitHub上使用OpenID认证的很好的例子： https://github.com/加里 - 罗维/ DropwizardOpenID

不过，我不想在此刻处理OpenID和只是想用户1.注册，签到2

我的问题/困惑是：

1. 有关注册：我正在考虑向用户发送的用户名/密码为 POST 的凭证无论是外形参数或JSON身体的一部分的请求。但是，是不是有安全隐患这里以纯文本格式发送密码的？




2. 有关醒的，我想在Dropwizard使用验证器。




3. 我不希望存储密码以纯文本。我应该遵循什么样的策略后，我在 POST获得用户的密码作为纯文本？我在寻找能够帮助密码盐和MD5

某些Java库

解决方案

感谢喊出来的Dropwizard OpenID的项目。很高兴它能够让你开始。

如果你想要一个纯Web表单类型的方法，看看我的另外一个项目多位商户它提供了多种验证方法（Web表单，HMAC，饼干）。

您需要周围挖真正看到它的工作，因为这个项目的目的不是作为演示这样，是非常进展中的工作。

加载项目之后，寻找<一href=\"https://github.com/gary-rowe/MultiBitMerchant/blob/develop/mbm-client/src/main/java/org/multibit/mbm/client/interfaces/rest/auth/webform/WebFormClientAuthenticator.java\"相对=nofollow> WebFormClientAuthenticator 这将让你在正确的地方。

涉及Dropwizard认证<一个一般原则href=\"http://gary-rowe.com/agilestack/2012/10/23/multibit-merchant-implementing-hmac-authentication-in-dropwizard\"相对=nofollow>在本博客文章中讨论。虽然它的目标HMAC可以使用前面引用的源$ C ​​$ C很容易适应它的Web表单或饼干。

这是所有MIT许可所以只是用它作为你的需要。

I am trying to authenticate users with a REST service I built using drop wizard. From previous questions I found great example of authenticating with openID on github: https://github.com/gary-rowe/DropwizardOpenID

However, I don't want to deal with openID at the moment and simply want users to 1. Signup, 2. Signin

My questions/confusions are:

1. For Signup: I'm thinking about sending users's username/password as a POST request with the credentials as either form parameters or part of JSON body. However, isn't there a security risk here of sending password in plain text?

2. For Sing-in I'm thinking about using Authenticator in Dropwizard.

3. I don't want to store passwords in plain text. What strategy should I follow after I get the users' password in the POST as plain text? I'm looking for some java libraries that can assist in password salt and MD5

解决方案

Thanks for the shout out for the Dropwizard OpenID project. Glad it was able to get you started.

If you want a pure web form type approach, take a look at another of my projects MultiBit Merchant which provides multiple authentication methods (web form, HMAC, cookie).

You'll need to dig around to really see it working since this project is not designed as a demo as such and is very much a work in progress.

After loading the project, look for WebFormClientAuthenticator which will get you in the right area.

The general principles involved with Dropwizard authentication are discussed in this blog article. Although it targets HMAC you can easily adapt it for web form or cookie using the source code referenced earlier.

It's all MIT license so just use it as you need.

这篇关于如何从REST服务的用户进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！