休息与HTTP头令牌认证 [英] Rest token authentication with HTTP header
问题描述
这是一个登录屏幕现有的系统,现在我揭露了一些服务,REST服务。我建立这个休息(球衣)服务的认证令牌登录系统。用户发送用户名,密码,然后服务器返回的计算令牌;
This is an existing system with a login screen, now I expose some services as REST service. I build an authentication-token login system for this Rest(jersey) service. User sends username-password then server returns a token calculated as;
sha1(username+password+currenttime(or any random number))
用户将使用此令牌登录应用程序做进一步的要求。与服务器保持令牌的数据库副本带有时间戳和用户ID和登录用户如果时间戳是有效的。
User will use this token to login the app for further requests. And server keeps a copy of the token in the database with a time stamp and user id, and logins that user if timestamp is valid.
考虑的 HTTPS 将被使用,几个问题;
Considering HTTPS will be used, a few questions;
做一切看起来确定在我的设计? (代哈希和我保存DB的方式),在我看来最薄弱的一点就是我需要通过POST请求发送纯用户名和密码,但因为它是HTTPS我想这不会是一个问题。
Does everything looks ok in my design? (generation of hash and the way I save in DB) Looks to me the weakest point is I need to send plain username and password over POST request, but since it is HTTPS I guess it will not be a problem.
另一件事,第一个请求,因为它是一个现有的系统我没有在我的数据库的用户密码,但让他们的盐腌哈希版本。我的猜测并不安全给所有的客户端这咸算法,所以我比较hashs但没有密码,给我密码的哈希值。这是否有意义=
another thing, for the first request, since it is an existing system I dont have the user passwords in my DB but keep a salted hashed version of them. Which I guess not safe to give all the clients this salted algorithm to send me a hash of their passwords so I compare hashs but not the passwords. does this make sense=
推荐答案
1/2,我建议张贴用户名/密码到服务器,然后可以在体内返回令牌。最有意义对我说:你不实际存储在多台服务器上,这样就把将是错误的,并查询参数没有任何意义可言。头应该是跨请求有点相符,于是他们不作任何意义。当使用该令牌实际沟通,随意使用查询参数或头。其实并不重要。
1/2- I'd suggest POSTing the username/password to the server, which can then return the token in the body. Makes most sense to me: you're not actually storing much on the server, so PUT would be wrong, and a query parameter doesn't make sense at all. Headers are supposed to be somewhat consistent across requests, so they don't make sense either. When actually communicating using the token, feel free to use a query parameter or header. Doesn't really matter.
3我会选择稍长的哈希算法(SHA256?)
3- I'd pick a slightly longer hashing algorithm (sha256?)
这篇关于休息与HTTP头令牌认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
