RESTful Web服务 - 如何进行身份验证的其他服务请求? [英] RESTful web service - how to authenticate requests from other services?
问题描述
我设计需要由用户访问的RESTful Web服务,还包括其他Web服务和应用。所有的传入请求的需要进行认证。所有通信都发生在HTTPS。用户认证是怎么回事基于身份验证令牌,通过发布用户名和密码(通过SSL连接)到的 /会话的服务所提供的资源。
I am designing a RESTful web service that needs to be accessed by users, but also other web services and applications. All of the incoming requests need to be authenticated. All communication takes place over HTTPS. User authentication is going to work based on an authentication token, acquired by POSTing the username and password (over an SSL connection) to a /session resource provided by the service.
的在Web服务客户端的情况下,背后是客户服务的没有终端用户 的要求按计划任务,事件或其他一些计算机操作启动。连接的服务列表预先知道(很明显,我猜)。 我应该如何鉴别这些请求来自其他(网络)服务来吗?我想验证过程是在安全的代价尽可能容易地实现这些服务,但不能。什么会是这样吗?
In the case of web service clients, there is no end user behind the client service. The requests are initiated by scheduled tasks, events or some other computer operations. The list of connecting services is known beforehand (obviously, I guess). How should I authenticate these requests coming from other (web) services? I want the authentication process to be as easy as possible to implement for those services, but not at the cost of security. What would be the standard and best practices for a scenario like this?
这是我能想到的(或已建议我)选项:
Options that I can think of (or have been suggested to me):
-
在客户端服务诉诸有一个假的用户名和密码,并以同样的方式为用户验证他们的身份。我不喜欢这样的选择 - 它只是感觉不对
Have the client services resort to having a "fake" username and password, and authenticate them in the same way as users. I do not like this option - it just doesn't feel right.
分配一个永久的应用程序ID为客户服务,可能是一个应用程序键为好。据我理解这一点是一样的具有用户名+密码。有了这个ID和关键,我可以验证每个请求,或创建一个认证令牌认证进一步要求。无论哪种方式,我不喜欢这个选项,因为任何人谁可以得到的应用程序ID的保持和密钥可以模拟客户端。
Assign a permanent application id for the client service, possibly an application key as well. As far as I have understood this is just the same as having username + password. With this id and key, I can either authenticate each request, or create an authentication token to authenticate further requests. Either way, I do not like this option, because anyone who can get a hold of the application id and key can impersonate the client.
我可以添加一个IP地址检查,以previous选项。这将使其难以执行的虚假请求。
I could add an IP address check to previous option. This would make it harder to perform fake requests.
客户端证书。建立自己的证书颁发机构,创建根证书,并为客户服务,客户端证书。一对夫妇的问题浮现在脑海中,虽然:一)我怎么还允许用户无需认证证书和b)如何复杂此方案从客户端查看服务点
Client certificates. Set up my own certificate authority, create root certificate, and create client certificates for the client services. A couple of issues come to mind, though: a) how do I still allow the users to authenticate without certificates and b) how complicated is this scenario to implement from the client service point of view?
的别的东西 - 必须有其他的解决方案在那里的
我的服务将在Java中运行,但我故意漏掉什么具体的框架,这将是建立在信息,因为我的基本原理更感兴趣,而不是那么多的实施细则 - 我认为最好的解决办法这将有可能不管底层框架来实施。不过,我有点缺乏经验这个题材,所以具体的技巧和对实际应用的例子(如有用的第三方库,文章等)将大大AP preciated为好。
My service would be running on Java, but I deliberately left out information about what specific framework it would be built on, because I am more interested on the basic principles and not so much on the implementation details - I assume the best solution for this will be possible to implement regardless of the underlying framework. However, I am a bit inexperienced with this subject, so concrete tips and examples on the actual implementation (such as useful third party libraries, articles, etc.) will be much appreciated as well.
推荐答案
任何解决这一问题归结为一个共享的秘密。我不喜欢硬codeD的用户名和密码选项,但它确实有被相当简单的好处。客户端证书也不错,但它真的太大的不同?有客户端上的服务器和一个上的证书。它的主要优点是,它很难蛮力。希望你已经到位,以防止,虽然还有其他的保护措施。
Any solution to this problem boils down to a shared secret. I also don't like the hard-coded user-name and password option but it does have the benefit of being quite simple. The client certificate is also good but is it really much different? There's a cert on the server and one on the client. It's main advantage is that it's harder to brute force. Hopefully you've got other protections in place to protect against that though.
我不认为客户端证书解决您的A点是难以解决的。你只需要使用一个分支。 如果(客户端证书时,){检查}其他{HTTP基本认证} 我不是Java专家,我从来没有与它的工作做的客户端证书。然而,一个快速谷歌使我们本教程看起来对你的胡同。
I don't think your point A for the client certificate solution is difficult to resolve. You just use a branch. if (client side certificat) { check it } else { http basic auth } I'm no java expert and I've never worked with it to do client side certificates. However a quick Google leads us to this tutorial which looks right up your alley.
尽管这个什么是最好的的讨论,我只想指出,还有另外一个理念,说:少code,少聪明更好。 (我个人认为这种哲学)。客户端证书的解决方案听起来很多code的。
Despite all of this "what's best" discussion, let me just point out that there is another philosophy that says, "less code, less cleverness is better." (I personally hold this philosophy). The client certificate solution sounds like a lot of code.
我知道你前pressed了解OAuth的问题,但提案的OAuth2不包括解决问题的方法叫做<一个href=\"http://blog.apigee.com/detail/best_practices_for_oauth_2.0_vs._oauth_1.0_-_one_year_later/\">bearer它必须与SSL一起使用令牌。我认为,为了简单起见,我会选择要么硬codeD的用户名/密码(每个应用一个,这样他们可以单独被撤销)或非常相似的承载令牌。
I know you expressed questions about OAuth, but the OAuth2 proposal does include a solution to your problem called "bearer tokens" which must be used in conjunction with SSL. I think, for the sake of simplicity, I'd choose either the hard-coded user/pass (one per app so that they can be revoked individually) or the very similar bearer tokens.
这篇关于RESTful Web服务 - 如何进行身份验证的其他服务请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
