对具有 REST 服务的页面的访问控制 [英] Access control to a page with REST service
问题描述
我已经阅读了许多关于 REST 服务的身份验证、授权等的讨论.我现在知道如何使用 REST 进行身份验证/授权.
I have read many discussions about authentication, authorization etc. with REST services. I have now idea how to make authentication/authorization with REST.
但我没有得到的是,如何使用 REST 服务控制对网页的访问.这是一个好习惯吗?如果是这样,如何?
But the thing I did not get is, how to control access to a web page with REST service. Is it a good practice? If so, how?
示例:
REST 服务的根目录:localhost/services
root of REST services: localhost/services
网页根目录:localhost/pages
root of web pages: localhost/pages
现在,场景是:
1. 客户端尝试访问页面 localhost/pages/join.html 但是,它没有访问权限.
1. Client tries to go to the page localhost/pages/join.html but, it does not have right to access.
2. 因此,服务器应该检查客户端是否有权访问该页面,并且由于它没有权限,应该将客户端重定向到某个地方.
2. Thus, server should check if the client has right to access to the page, and since it does not have right, should redirect the client to somewhere.
我的问题不是服务器如何检查,了解客户端是否正确.
My question is not how the server would check, understand if the client has right or not.
但是,我想知道何时以及如何使用 REST 服务进行此检查和重定向.
However, I want to know, when and how I could make this check and redirection with REST service.
例如,我想到的第一个想法是,在 join.html 的正文中,使用 运行一个 javascript 来检查客户端向 REST 服务发送 JSON 消息的访问权限,比方说,localhost/services/access.
For example, the first idea that comes to my mind is, in the body of join.html, with <body onload> run a javascript that checks the access right of the client sending a JSON message to REST service, let say, to localhost/services/access.
然后,service会返回它的回答,如果OK就加载页面,如果不是则用window.location.href重定向.这是决定访问具有 REST 服务的网页的权利的方式吗?还有其他常见的解决方案/做法吗?
Then, service will return its answer, and if it is OK, the page will be loaded, if not, it will be redirected with window.location.href. Is this the way to decide the right of access to a web page with REST service? Is there other common solution / practice?
请再次注意,我不是在问如何保护我的 REST API 等,而是
Please again note that I am not asking, how to secure my REST API etc., but
如何使用 REST 服务检查对我的网页的访问权限?
How do I check access rights to my web pages with REST service?
推荐答案
您可以将从 REST API 接收到的令牌发送到 Web 服务器,使其保存在浏览器客户端的会话对象中.
You can send the token that is received from REST API, to the web server to make it to save in session object of browser-client.
这篇关于对具有 REST 服务的页面的访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
