Web REST API的体面但简单的身份验证
[英]Decent but simple authentication for Web REST API
问题描述
Let's say I have some Web API and I want it to use only the users who know the password. 
假设我有一些Web API,并且我希望它仅使用知道密码的用户。 And I have a URL like this: 我有这样的网址:
GET http://api.example.com/v1/dog/123
I don't need to much security here. 我在这里不需要太多安全性。 So, it is secure enough to just supply a password like this: 因此,只需提供这样的密码就足够安全了:
GET http://api.example.com/v1/dog/123?password=myPassword
Of course, it's a plain text and a GET request which is not secure at all. 当然,它是纯文本和GET请求,这一点都不安全。 But I can't use https for now (if it would help). 但是我暂时不能使用https(如果有帮助的话)。
What are the other option for decent but not complicated authentication? 体面但又不复杂的身份验证的其他选择是什么?
1 个解决方案
解决方案1
1 2013-11-17 04:35:01
It seems that an explicit user login would be in order. 似乎应该进行明确的用户登录。 Once the user is authenticated, authentication cookies in the GET request allow access the resource. 用户通过身份验证后,GET请求中的身份验证cookie允许访问资源。
If you web service is in Java, the J2EE container takes care of all this for you. 如果您的Web服务使用Java,则J2EE容器将为您完成所有这些工作。 See the following tutorial: http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html . 请参阅以下教程: http : //docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html 。 To sum this up, the application server provide protection on a per-resource basis. 综上所述,应用服务器基于每个资源提供保护。 The server also allows you to chose from multiple methods of authentication (form, basic, ...). 服务器还允许您从多种身份验证方法(表单,基本,...)中进行选择。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.