RESTful登录失败:返回401或自定义响应 [英] RESTful Login Failure: Return 401 or Custom Response
问题描述
这是一个概念性问题。
我有一个客户端(移动)应用程序需要支持针对RESTful Web服务的登录操作。由于Web服务是RESTful,这相当于客户端接受用户的用户名/密码,验证该服务的用户名/密码,然后只记得发送该用户名/密码以及所有后续请求。
I have a client (mobile) application which needs to support a login action against a RESTful web service. Because the web service is RESTful, this amounts to the client accepting a username/password from the user, verifying that username/password with the service, and then just remembering to send that username/password with all subsequent requests.
此Web服务中的所有其他响应均以JSON格式提供。
All other responses in this web service are provided in a JSON format.
问题是,当我查询Web服务时找出给定的用户名/密码是否有效,如果Web服务始终响应JSON数据告诉我它成功或不成功,或者它应该在良好凭据上返回HTTP 200,在错误凭据上返回HTTP 401。
The question is, when I query the web service simply to find out whether a given username/password are valid, should the web service always respond with JSON data telling me its successful or unsuccessful, or should it return HTTP 200 on good credentials and HTTP 401 on bad credentials.
我问的原因是,即使您只是询问凭据是否有效,其他一些RESTful服务也会使用401作为错误的凭据。但是,我对401响应的理解是,它们代表了一个没有有效凭据就无法访问的资源。但登录资源应该是任何人都可以访问的,因为登录资源的全部目的是告诉你你的凭据是否有效。
The reason I ask is that some other RESTful services use 401 for bad credentials even when you're just asking if the credentials are valid. However, my understanding of 401 responses are that they represent a resource that you are not supposed to have access to without valid credentials. But the login resource SHOULD be accessible to anyone because the entire purpose of the login resource is to tell you if your credentials are valid.
换句话说,在我看来请求如下:
Put another way, it seems to me that a request like:
myservice.com/this/is/a/user/action
如果提供了错误的凭据,
应该返回401。但请求如下:
should return 401 if bad credentials are provided. But a request like:
myservice.com/are/these/credentials/valid
永远不会返回401,因为该特定URL(请求)在有或没有有效凭证的情况下被授权。
should never return 401 because that particular URL (request) is authorized with or without valid credentials.
我想在这方面听到一些合理的意见。处理此问题的标准方法是什么,并且是处理逻辑上合适的标准方法?
I'd like to hear some justified opinions one way or the other on this. What is the standard way of handling this, and is the standard way of handling this logically appropriate?
推荐答案
首先关闭。 401是发生登录失败时发送的正确响应代码。
First off. 401 is the proper response code to send when a failed login has happened.
401未经授权
与403 Forbidden类似,但专门用于需要身份验证且已失败或尚未提供的情况。响应必须包含一个WWW-Authenticate头字段,其中包含适用于所请求资源的质询。
401 Unauthorized Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource.
您的疑惑, myservice.com/are/these/credentials/valid 当你进行检查时发回401,我认为这是基于以下事实:在REST中做布尔请求通常是错误的RESTful约束。每个请求都应该返回一个资源。在RESTful服务中做布尔问题是一个滑落到RPC的单点。
Your confusion about, myservice.com/are/these/credentials/valid sending back 401 when you just do a check, I think is based on the fact that doing boolean requests in REST often is wrong by the RESTful constraints. Every request should return a resource. Doing boolean questions in an RESTful service is a slippery sloop down to RPC.
现在我不知道你看到的服务是如何表现的。但解决这个问题的一个好方法是使用类似Account对象的东西来尝试获取。如果您的凭据是正确的,您将获得Account对象,如果您不想浪费带宽只是为了检查您可以在同一资源上执行HEAD。
Now I dont know how the services that you looked on is behaving. But a good way of solving this is to have something like an Account object, that you try to GET. If you credentials are correct, you will get the Account object, if you don't want to waste bandwidth just to to a "check" you can do a HEAD on the same resource.
帐户对象也是存储所有那些讨厌的布尔值的好地方,否则创建单独的资源会很棘手。
An Account Object is also a nice place to store all those pesky boolean values that otherwise would be tricky to create individual resources for.
这篇关于RESTful登录失败:返回401或自定义响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
