REST服务基本身份验证会话超时 [英] REST services basic auth session timeout

问题描述

我正在使用基本身份验证来开发一个宁静的Web服务.在Web xml中，我具有以下内容:

I'm working on a restful webservice using basic authentication. In the web xml I have the following:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Services</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>User</role-name>
    </auth-constraint>
</security-constraint>
<session-config>
    <session-timeout>1</session-timeout>
</session-config>

这可以按预期工作:与服务交互时，用户必须提供密码.

This works as expected: the user must supply a password when interacting with the service.

但是，为了符合更多的RESTful标准，我认为它确实应该是永远不会创建会话的无状态服务.换句话说，我想强制客户端为每个请求提供其凭据.

However, to conform the more RESTful standards, I think it really should be a stateless service where the session is never created. In other words, I would like to force the clients to supply their credentials for each request.

如果我在web-xml中将session-timeout设置为0，这将被解释为永不过期"，这与我想要的完全相反.

If I set the session-timeout to 0 in the web-xml, this is interpreted as "never expire", which is the exact opposite of what I want.

是否有一种简单的方法来使会话立即失效?

Is there a simple way to get the session to get invalidated immediately?

推荐答案

您根本不需要< session-config>元素.

You don't need the <session-config> element at all.

您所体验的是浏览器如何实现身份验证协议.

What you experience is how browsers implement the authentication protocol.

简而言之，基本身份验证(rfc 2617)的工作方式如下:

Briefly the basic authentication (rfc 2617) works like this:

1. 客户端请求一些资源.

2. 服务器识别出该资源具有安全约束.因此，它发送HTTP 401需要授权"响应.标头包含类似...

1. Client requests some resource.

2. Server recognizes that the resource has a security constraint. Therefore it sends a HTTP 401 "Authorization required" response. The header contains something like...

WWW-Authenticate: Basic realm="Protected"

客户端重新发送其请求，但这一次使用标头中的凭据(以base64编码)，例如...

The client resends its request, but this time with the credentials (base64-encoded) in the header, e.g. ...

Authorization: Basic dG9tY2F0OnMzY3JIdA==

服务器根据给定的凭据对请求进行身份验证，然后发送请求的资源.

The server authenticates the request based on the given credentials and sends the requested resource.

为使人类浏览方便，实际上每个浏览器都会缓存凭据，直到关闭浏览器为止.每次您在浏览器中重新加载页面时，授权"条目都会与请求的标题一起发送.因此，在使用浏览器测试Web服务时，不会再要求您提供凭据.

In order to make web browsing convenient for humans virtually every browser caches the credentials until the browser is closed. Every time you reload the page in the browser the "Authorization" entry is sent with the header of the request. Therefore you are not asked for your credentials again while testing your web service with a browser.

使用Firefox，您可以控制该行为.查看有关 Firefox迅速忘记HTTP基本身份验证的讨论.

With Firefox you can control that behavior. Check out the discussion about Firefox quickly forget HTTP Basic Auth.

这篇关于REST服务基本身份验证会话超时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！