堆栈内存溢出
  简体   繁体   English

保护JBoss中的REST API

[英]Securing REST API in JBoss

 原文  2013-06-30 19:02:43       java/ web-services/ jboss/ resteasy/ restful-authentication

问题描述

I'm developing a RESTeasy JSON API under JBoss-As 7 . 我正在JBoss-As 7下开发一个RESTeasy JSON API。

I have another separate web-server. 我有另一个单独的Web服务器。

I am developing with JAVA on server-side, and on client-side with Javacript , JQuery , AJAX . 我在服务器端使用JAVA进行开发,在客户端使用JavacriptJQueryAJAX进行开发

So, I have 2 distinct * war *s, let say they can be accessed as following: 所以,我有两个不同的 * war * s,让我们说它们可以访问如下:

  • https.//localhost:8443/services https.//localhost:8443/services
  • http.//localhost:8080/web http.//localhost:8080/web

Now I want to secure these two guys; 现在我想要保护这两个人; RESTeasy API and web-server . RESTeasy APIWeb服务器

Let me tell about my structure: 让我讲述我的结构:

  • I keep the users in DB with username-password. 我使用用户名密码将用户保留在数据库中 These are the only users for now. 这些是目前唯一的用户。
  • I have a login page to authenticate my users (I don't want http basic auth popup and any workaround about that) 我有一个登录页面来验证我的用户(我不想要http基本身份验证弹出窗口以及任何解决方法)
  • The clients of REST API are browsers (not web server). REST API的客户端是浏览器(不是Web服务器)。 The static page is load, and then some other dynamic things are load through REST API, calling within from browser using JQuery , AJAX, whatever. 静态页面是加载的,然后一些其他动态的东西通过REST API加载,使用JQuery ,AJAX等从浏览器调用。
  • All communication can be through SSL/TLS , no problem. 所有通信都可以通过SSL / TLS ,没问题。
  • For the future, scalability (clients other than web-browsers, ability to authenticate with social network logins, etc.) should be in mind. 对于未来,应考虑可扩展性(除了Web浏览器之外的客户端,使用社交网络登录进行身份验证的能力等)。

My scenario is as following: 我的方案如下:

  • Client is browser. 客户端是浏览器。
  • Client wants to access a web page web/aaa.html which is restricted to authenticated users. 客户希望访问仅限经过身份验证的用户的网页web/aaa.html
  • Client is redirected to login page: web/login.html 客户端被重定向到登录页面: web/login.html

  • Client filled the FORM and sent to ... either, 客户填写表格并发送给......,

    a) to the rest-api, or a)到rest-api,或者

    b) to web-server, b)到web服务器,

    not sure (So, here you have an implicit question). 不确定(所以,这里有一个隐含的问题)。

    But in any case, what a or b should do is the same: 但无论如何,a或b应该做的是:

    Check username-password. 检查用户名密码。 Let say they are checked and the user is authenticated. 假设他们已经过检查并且用户已通过身份验证。

  • From now on, I should have got these two things at the same time: 从现在开始,我应该同时得到这两件事:

    1- Client is authorized to navigate the restricted pages. 1-客户端有权浏览受限页面。

    2- Client will be authorized on REST API calls. 2-客户端将获得REST API调用的授权。

So, I need these 2 things at the same time happen, after authenticating in login page. 因此,在登录页面进行身份验证后,我需要同时发生这两件事。

I have read lots of things, about authorization in REST API, with tokens, keys, etc. and yes I also have heard about Spring Security , Apache Shiro , etc. 我已经阅读了许多关于REST API授权的内容,包括令牌,密钥等等。是的,我也听说过Spring SecurityApache Shiro等。

And yes, I do not want to implement a new security framework by own and I will use one. 是的,我不想自己实现一个新的安全框架,我将使用一个。 I imagine that some framework can produce/check tokens etc. for me. 我想有些框架可以为我生成/检查令牌等。

Before Spring Security and Apache Shiro, I want to know about resteasy skeleton key JBoss module . 在Spring Security和Apache Shiro之前,我想了解一下resteasy骨架键JBoss模块

There are these sources: 有这些来源:

https://github.com/resteasy/Resteasy/tree/3.0.1.Final/jaxrs/examples/oauth2-as7-example https://github.com/resteasy/Resteasy/tree/3.0.1.Final/jaxrs/examples/oauth2-as7-example

http://docs.jboss.org/resteasy/docs/3.0-beta-2/userguide/html/oauth2.html http://docs.jboss.org/resteasy/docs/3.0-beta-2/userguide/html/oauth2.html

But, they didn't seem to me very explicative, and also I am not sure if they are what I need. 但是,他们在我看来并不是非常明确的,而且我也不确定他们是否是我需要的。

Is there someone who knows how to configure skeleton key (or in general JBoss App layer) and give me useful example to achieve what I've described, please? 是否有人知道如何配置骨架密钥(或一般JBoss App层)并给我一些有用的例子来实现我所描述的,请?

Or, could you give me some other advice/example to achieve my goal, especially noting that my question is about " how to implement "? 或者,您能否给我一些其他建议/示例来实现我的目标,特别是注意到我的问题是关于“ 如何实施 ”? I don't see where to begin. 我不知道从哪里开始。

Thanks in advance. 提前致谢。

1 个解决方案

解决方案1
 0  2013-11-27 13:38:52

For securing REST Services, We can use following framework 为了保护REST服务,我们可以使用以下框架

  • OAuth (Open source - RFC6749 ) OAuth(开源 - RFC6749
  • Apigee Apigee

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用令牌保护REST API - Securing REST api with Token 保护Jersey 2 Rest API - Securing Jersey 2 Rest API 使用Spring Security保护REST Api - Securing a REST Api with Spring Security 使用Android设备通过REST API保护身份验证? - Securing authentication through a REST API with an Android device? 从匿名调用中保护我的REST API - Securing my REST API from anonymous calls 使用带有AJAX身份验证的Spring Security保护Rest API - Securing Rest API using Spring Security with AJAX Authentication Azure Active Directory 用于保护自定义 JS 前端和 Java Rest ZDB974238714CA8ADE4D638 - Azure Active Directory for securing Custom JS Frontend and Java Rest API 在 JBoss EAP 中保护 ActiveMQ 消息传递 - Securing ActiveMQ Messaging in JBoss EAP 保护JBoss上远程客户端的JNDI - Securing JNDI for remote clients on JBoss 保护泽西岛的 REST 服务 - Securing REST services in Jersey
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM