为什么基于表单的认证不被视为RESTful? [英] Why is form based authentication NOT considered RESTful?
问题描述
现在表单出现了,有些人说不安宁 - 对他们来说什么是不安宁的?是否没有相应的登录资源可以这么说?或者它是否强制我失踪的其他东西?
注意:如果与他们创建会话,那完全是另一回事。我更热衷于了解为什么他们被称为安宁?只需要搜索基于表单的身份验证和静默身份验证就可以产生不少的点击。
可以使用这些表单来验证应用程序的标记并将其传递给应用程序存储在饼干等,我觉得是完全安宁的(假设加密安全等),...发送您的凭证(可能通过表单)进行身份验证没有任何问题。问题在于大多数基于表单的系统依赖于会话,因此要求您只能登录一次。
会话是服务器状态,因此违反了REST的无状态约束体系结构。
如果您每次都必须发送凭证,您可以将它们包含在有效负载中(即使用表单),也可以使用HTTP授权标头。
如果将它们包含在有效内容中,则可以将它们包含在主体中,但仅用于POST或PUT,而不是GET或DELETE(因为它们不会如果您将它们包含在URL中作为查询参数的一部分,那么URL不再需要代表实际资源。
其他原则之一是URL匹配资源。在查询参数中添加带外信息(如凭证),这些信息会受到一些限制。因此,对于基于HTTP的REST系统,您最好使用现有的HTTP授权机制而不是解决其他问题。您也可以使用客户端特定的SSL证书,也可以正常工作。Although I "think" I understand it I need some clarity. With PURE Restful authentication, things do get a bit unwieldy and using forms helps a lot with the UI of the application (i.e., get to have separate login page, forgot password links, easier logout? etc.,)
Now Forms come along and some folks say "not restful" - what is "not restful" about them? Is it that there is no corresponding login resource so to speak? Or does it force something else that I'm missing?
Note: If ones create sessions with them, that's a different matter altogether. I'm more keen on know "why" are they branded as restful? Just googling for "Form based authentication vs restful authentication" throws up quite a few hits.
One could use these "forms" to authenticate and pass on tokens for the application to store in cookies etc., which I feel is entirely restful (assuming cryptographic security etc.,)...
There is nothing wrong with sending your credentials, perhaps through a form, for authentication. The problem is most Form based systems rely on sessions, thus requiring you to only log in "once".
Sessions are server state, thus violating the stateless constraint of a REST architecture.
If you have to send the credentials each time, you can either include them in the payload (i.e. using a form), or you can use the HTTP Authorization header.
If you include them in the payload, you can include them in the body, but only for a POST or PUT, and not a GET or DELETE (since they don't have bodies).
If you include them in the URL as part of the query parameters, then the URL is no longer necessarily representing the actual resource. One of the other tenets is that the URL matches the resource. Adding out of band information (such as credentials) within the query parameters muddies that constraint up a bit.
So, for a REST system over HTTP, you're better to use the existing HTTP Authorization mechanism than working out something else. You could also use client specific SSL certs as well, that works fine also.
这篇关于为什么基于表单的认证不被视为RESTful?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
