JAX-RS web服务休息身份验证和授权 [英] jax-rs rest webservice authentication and authorization
问题描述
我有一个需要允许使用不同的Web客户机(浏览器,原生移动应用等),用户注册的Web应用程序。登录就可以访问受限制的内容或他们自己的内容(如输入他们创造等)后。
我做了什么至今:我创建了一个JAX-RS web服务休息(我主持我的GlassFish应用)暴露了以下方法:
- 注册 - 网友发帖的他所期望的用户名/密码/电子邮件/等;如果用户名/电子邮件是独一无二的,该用户的条目在数据库中(我使用Hibernate进行持久化) 创建
- 登录 - 用户POST的用户名和密码。如果他们确定一个UUID创建并返回给用户(这将被用作未来请求的令牌)。我有一个表叫logedusers,与用户ID,令牌,validSince栏目。
下面是它得到混淆了我。
让我们说,我有另一种方法,getUserEntries,应该返回用户所作的所有条目。为了使这个更清晰,会出现与以下字段的表项。ENTRYID,用户id,文字
什么是最好的办法吗?
我现在要做的,是我做一个GET请求,并通过在这样的标记:
本地主机:8080 /对myApp / getUserEntries令牌= erf34c34
之后,如果令牌是有效的,我从logedusers表中的用户ID和基于用户ID得到所有的条目并返回它们作为JSON。
事情是这样的:
@GET
@Path(getUserEntries)
@Produces(MediaType.APPLICATION_JSON)
市民反应getUserEntries(@QueryParam(令牌)字符串令牌){
字符串userid = getUserIdFromToken(令牌);
如果(用户ID == NULL){
返回Response.status(Response.Status.UNAUTHORIZED).build();
}其他{
//获取与该用户id相关的一些数据,把它的响应对象,并发送回
返回Response.ok()实体(响应).build();
}
}
不过,如果我有更多的方法提供的数据,如果他们是由一个有效的用户调用?
会发生什么我必须在每一个方法开始做此项检查。
我想使这个授权过程透明
所以,在这里两个主要问题:
- 这是设计好的?使用用户名/密码,整个身份验证,服务器创建和存储并发送令牌给用户,用户发送对将来的请求令牌。
- 我该怎么办,如果我有需要确定主叫用户身份的终端数量?我可以标记他们提供一些注释,使用某种安全提供/认证的(在那里我可以添加自己的逻辑验证 - 例如检查如果令牌不超过5天的,等等)。
感谢
这是设计好的?使用用户名/密码,整个身份验证,服务器创建和存储并发送令牌给用户,用户发送对将来的请求令牌。
这有点确定。概念层次是不是太糟糕了(前提是你有自登记时都可以),但接口需要大量的调整的。尽管是,POST来注册和登陆是正确的,你的Web应用程序,你应该拉身份信息出来的情况下,如果你需要它,在那里你可以在方法级使用基于角色的访问控制的其余部分。
请注意,您的容器具有一整套内置的身份验证和授权,支持机制。利用它们。
我该怎么办,如果我有需要确定主叫用户身份的终端数量?我可以标记他们提供一些注释,使用某种安全提供/认证的(在那里我可以添加自己的逻辑验证 - 例如检查,以查看该令牌不超过5天的,等等)
。难道他们的需求的身份?或者,他们只需要知道用户被允许访问它们?如果是后者,最简单的方法就是把该方法适合
@RolesAllowed注释,在这一点(有合适的配置;看到的 JEE5安全文档)。如果是前者,你需要获得的HttpServletRequest对象当前操作,并调用其getUserPrincipal()方法获取(如果他们没有登录或空还)的用户的身份。 这太问题介绍了如何去获得请求对象;有几个可能的方式来做到这一点,但我建议通过@Resource标注注入。我不会做的就是让用户通过
@QueryParam通常提供自己的身份;这只是疯狂地滥用。你可以让他们询问的其他用户的这种方式,但你需要决定是否要告诉他们什么或不基于当前用户是否被允许了解其他用户的任何。这就是那种复杂的安全问题,在实际应用出现,是一个很好的点,需要当前验证用户身份。I have a web application that needs to allow users using different webclients (browser, native mobile app, etc) to register. After signing in they can access restricted content or their own content (like entries they create, etc).
What I did so far: I created a jax-rs rest webservice (I'm hosting my application on glassfish) that exposes the following methods:
- register - user POST's his desired username/password/email/etc; if username/email is unique, an entry for this user is created in the database (I'm using Hibernate for persistence)
- login - user POST's username and password. If they are ok a UUID is created and returned to the user (this will be used as a token for future requests). I have a table called logedusers, with userID, token, validSince as columns.
Here is where it gets confusing for me.
Let's say that I have another method, getUserEntries, that should return all the entries made by the user. To make this clearer, there will be a Entry table with the following fields: entryId, userId, text.
What is the best approach here?
What i do now, is I make a get request and pass in the token like this:
localhost:8080/myApp/getUserEntries?token=erf34c34Afterwards, if the token is valid, I get the userID from the logedusers table and based on that userId, get all the entries and return them as json.
Something like this:
@GET @Path("getUserEntries") @Produces(MediaType.APPLICATION_JSON) public Response getUserEntries(@QueryParam("token") String token) { String userId=getUserIdFromToken(token); if (userId == null){ return Response.status(Response.Status.UNAUTHORIZED).build(); } else { //get some data associated with that userId, put it in the response object and send it back return Response.ok().entity(response).build(); } }However, what happens if I have more methods that provide data if they are called by a valid user?
I'd have to do this check at the beginning of every method.
I want to make this authorization process transparent
So, two major questions here:
- Is this design ok? The whole authenticate with user/pass, server creates and stores and sends token to the user, user sends token on future requests.
- What do I do if i have many endpoints that need to determine the identity of the calling user? Can I mark them with some annotations, use some sort of security provider / authenticator (where I can add my own logic for validating - eg check to see if the token isn't older than 5 days, etc).
Thanks
解决方案Is this design ok? The whole authenticate with user/pass, server creates and stores and sends token to the user, user sends token on future requests.
It's somewhat OK. The conceptual level isn't too bad (provided you're OK with self-registration at all) but the interface needs a lot of tweaking. While yes, POST to register and login is correct, for the rest of your webapp you should be pulling the identity information out of the context if you need it, and using role-based access control at the method level where you can.
Note that your container has a whole set of authentication and authorization-support mechanisms built in. Use them.
What do I do if i have many endpoints that need to determine the identity of the calling user? Can I mark them with some annotations, use some sort of security provider / authenticator (where I can add my own logic for validating - eg check to see if the token isn't older than 5 days, etc).
Do they need the identity? Or do they just need to know that the user is allowed to access them? If the latter, the easiest method is to put a suitable
@RolesAllowedannotation on the method, at which point (with suitable configuration; see the JEE5 security docs). If the former, you need to get theHttpServletRequestobject for the current action and call itsgetUserPrincipal()method to get the user's identity (or null if they've not logged in yet). This SO question describes how to go about getting the request object; there are a few possible ways to do it but I recommend injection via a@Resourceannotation.What I wouldn't do is allow users to normally provide their own identity via a
@QueryParam; that's just wildly open to abuse. You can allow them to ask about other users that way, but then you need to decide whether you are going to tell them anything or not based on whether the current user is permitted to know anything about the other user. That's the sort of complex security problem that comes up in a real app, and is a good point for needing the current verified user identity.这篇关于JAX-RS web服务休息身份验证和授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
