RESTful服务认证 [英] RESTful Service Authentication
问题描述
根据REST规范,服务应该是无状态的;但随后变得难以使身份验证。一些我看过的东西说,让REST状态不是世界末日。但是,这不是重点,重点是要遵循的规范,是一致的。
As per REST spec, the service is supposed to be stateless; but then it becomes difficult to enable authentication. Some of the stuff I have read said "making REST stateful is not end of the world". But that's not the point, the point is to follow the spec and be consistent.
所以,我在这里提出一个希望有人能指导我在正确的方向这个问题。我与Spring MVC的工作来创建一个REST服务。我没有意见。它是消耗/一个真正的REST服务产生JSON。我需要身份验证(和授权的道路)机制这个应用程序是无状态的,并遵循REST规范。客户端会用JavaScript编写(Backbone.js的,CoffeeScript的),并会接受来自用户的用户名/密码。然后,它会发布该信息给服务器。
So, I am asking this question here in a hope someone could guide me in the right direction. I am working with Spring MVC to create a REST Service. I do not have views. It is a true REST Service which consumes/produces JSON. I need to have authentication (and authorization down the road) mechanism for this application that is stateless and follows REST specification. The client will be written in JavaScript (Backbone.js, CoffeeScript) and will accept username/password from a User. Then it will post that information to the server.
我怎样才能实现在Spring应用程序基于真正的无状态身份验证(和授权)?
How can I achieve true stateless authentication (and authorization) in a Spring based application?
摘要式身份验证通过SSL - 这是要走的路?
Digest Authentication over SSL - Is this the way to go?
推荐答案
你有没有看着春季安全是如何工作的?使用Spring Security的我已经能够从客户端的REST请求添加自定义HTTP授权头。此被提取的服务器侧,请求用户被认证,并能够授权访问特定资源。
Have you looked into how Spring Security works ? Using Spring Security I have been able to add custom HTTP Authorization Headers from the client in the REST Request. This is extracted server side, the requesting user is authenticated, and it is possible to authorize access to specific resources.
这篇关于RESTful服务认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
