REST授权:授权标头与JSON正文中的用户名/密码 [英] REST Authorization: Username/Password in Authorization Header vs JSON body
问题描述
我正在使用令牌样式身份验证过程。客户端获得令牌后,将其设置在客户端的cookie(用于Web)或客户端请求的授权头(用于移动设备)中。但是,为了获得有效的令牌,客户端必须首先使用有效的用户名/密码组合登录。我的问题是:
I'm using a token style authentication process. After the client has obtained a token, it is either set in the client's cookies (for Web) or the authorization headers of the client's requests (for mobile). However, in order to obtain a valid token, the client must first "log in" using an valid username/password combination. My question is this:
通过在授权标头中发送用户名/密码组合以及作为请求的JSON主体中的参数,是否有任何增加的安全性(假设我'我正在使用HTTPS)?
Is there any added security by sending the username/password combination in the authorization header vs. as parameters in the JSON body of the request (assuming I'm using HTTPS)?
我只需要为每个会话一次发送用户名/密码组合以获取令牌。我是否通过基本认证风格获得任何收益?
I only need to send the username/password combination "once" per session in order to obtain the token. Do I gain anything by doing it a la "basic-auth" style?
推荐答案
在发送凭证时没有额外的安全性授权标头与JSON正文。使用授权标头的优点是您可以利用标准化的HTTP语义,而无需准确记录客户端应该执行的操作。你可以简单地将它们指向RFC。
There's no added security in sending credentials in the Authorization header vs. a JSON body. The advantage in using the Authorization header is that you leverage on the standardized HTTP semantics, and you don't have to document exactly what clients should do. You can simply point them to the RFCs.
如果你担心真的是RESTful,我会说使用授权标题而不是滚动自己的方法是必须的。
If you're concerned about being really RESTful, I'd say using the Authorization header instead of rolling your own method is a must.
这篇关于REST授权:授权标头与JSON正文中的用户名/密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
