DropWizard验证国度 [英] DropWizard Auth Realms
问题描述
在DropWizard,我可以设置基本身份验证,像这样(在应用#执行 implement执行):
In DropWizard, I can set up basic auth like so (in the Application#run impl):
BasicAuthProvider<SimplePrincipal> authProvider = new BasicAuthProvider(authenticator, "SECRET_REALM");
environment.jersey().register(authProvider);
我想知道什么字符串境界的意义( SECRET_REALM 的)是什么?
从一般的安全概念,我的理解是境界是一个地方(数据库,目录,文件,密钥存储等),用户和角色/权限存储。
From general security concepts, I understand a "realm" to be a place (database, directory, file, keystore, etc.) where users and roles/permissions are stored.
这是什么境界意味着DropWizard,什么是指定它里面 BasicAuthProvider 的意义何在?它的引擎盖下创建这个领域的东西吗?
What does a realm mean in DropWizard, and what's the significance of specifying it inside BasicAuthProvider? Does it create something with this realm under the hood?
推荐答案
一个领域是在一定意义上,在服务器的一些保护区/空间。境界应该有一个名字。如果我们从运行示例这个帖子,使用的 卷曲 (我建议下载,因为它的发展非常有用),无需任何用户凭据,我们将看到以下内容。
A realm is in a sense, some protected area/space in the server. The realm should have a name. If we run the example from this post, using cURL(which I recommend downloading, as it's useful in development), without any user credentials, we will see the following.
C:\>curl -i http://localhost:8080/simple
HTTP/1.1 401 Unauthorized
Date: Thu, 11 Dec 2014 18:55:02 GMT
WWW-Authenticate: Basic realm="Basic Example Realm"
Content-Type: text/plain
Transfer-Encoding: chunked
Credentials are required to access this resource.
这是基本认证协议如何工作的。当服务器需要用户代理进行身份验证,访问受保护的资源,它会发送回401未授权,类似于
This is how the Basic Auth Protocol works. When the server want the user agent to authenticate, to access a secured resource, it will send back a "401 Unauthorized", along with the header similar to
WWW-Authenticate: Basic realm="Basic Example Realm"
您提供的名称 BasicAuthProvider 是将在头中提供的境界。你可以看到<一个href=\"https://github.com/dropwizard/dropwizard-java8/blob/master/dropwizard-java8-auth/src/main/java/io/dropwizard/java8/auth/basic/BasicAuthProvider.java\">source code
The name you provide to the BasicAuthProvider is the realm that will be provided in the header. You can see in the source code
if (required) {
final String challenge = String.format(CHALLENGE_FORMAT, realm);
throw new WebApplicationException(
Response.status(Response.Status.UNAUTHORIZED)
.header(HttpHeaders.WWW_AUTHENTICATE, challenge)
.entity("Credentials are required to access this resource.")
.type(MediaType.TEXT_PLAIN_TYPE)
.build());
现在试着从浏览器访问该资源。你会看到
Now try to access the resource from the browser. You will see
您还可以看到领域名称出现。该 RFC 2617 只是规定(关于境界)
You can also see the realm name there. The RFC 2617 just states (about the realm):
境界:
让他们知道要显示给用户一个字符串,用户名和
密码使用。此字符串应包含至少名称
主机执行认证和可能附加地
表明谁可能有访问权限的用户的集合。一个例子
可能是registered_users@gotham.news.com
realm:
A string to be displayed to users so they know which username and password to use. This string should contain at least the name of the host performing the authentication and might additionally indicate the collection of users who might have access. An example might be "registered_users@gotham.news.com".
这篇关于DropWizard验证国度的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
