Web应用程序和请求身份验证
[英]Web app and request authentication
问题描述
I currently have a working web app, but I need to provide means for friend website to consume my data. 
我目前有一个正在运行的Web应用程序,但是我需要为朋友网站提供使用我的数据的方法。
There is currently JSON response in place which retrieves some data from my website to caller. 当前存在JSON响应,该响应从我的网站检索一些数据给调用者。 It's without authentication currently and I'd like to implement some kind of per request authentication. 目前尚无身份验证,我想实现某种形式的每请求身份验证。
My web app has users which are logged in and there is a authentication in place for that. 我的Web应用程序具有已登录的用户,并且为此进行了身份验证。 But 但
I have 3 requests in total for which callers can get data off of my website, what would be the simplest way to add some kind of authentication just for those 3 requests? 我总共有3个请求,呼叫者可以从他们的网站获取数据,对于这3个请求,添加某种身份验证的最简单方法是什么?
I'm using play framework + java 我正在使用播放框架+ Java
1 个解决方案
解决方案1
1 已采纳 2013-12-17 12:28:15
Imo the best options for this would be in the order of simplicity: 伊莫为此的最佳选择将是简单的顺序:
- Basic authentication (since it's possible to choose either to auth once and then do session-base user recognition or authorize on every request) 基本身份验证(因为可以选择只进行一次身份验证,然后进行基于会话的用户识别或对每个请求进行授权)
- 2-way SSL 2路SSL
- Combination of both 两者结合
What toolkit do you use for authentication part? 您使用什么工具包进行身份验证?
I personally stuck with play-authenticate . 我个人坚持使用play-authenticate 。 So I might be able to answer you question in regard to this toolkit, please apply it to your particular toolkit as needed. 因此,我也许可以回答有关此工具包的问题,请根据需要将其应用于您的特定工具包。
I will provide Basic authentication example as the easiest one. 我将提供最简单的基本身份验证示例。 The benefit is: you could start with it and add on top it later (eg add Client certificate authentication via Apache later on). 好处是:您可以从它开始,然后在其顶部添加(例如,稍后通过Apache添加客户端证书身份验证)。
So, my controller code snippet 因此,我的控制器代码段
@Restrict(value = @Group({"ROLE_WEB_SERVICE1"}), handler = BasicAuthHandler.class)
public static Result ws1() {
return TODO;
}
And the authentification handler itself 以及身份验证处理程序本身
public class BasicAuthHandler extends AbstractDeadboltHandler {
public static final String HEADER_PREFIX = "Basic ";
private static final String AUTHORIZATION = "authorization";
private static final String WWW_AUTHENTICATE = "WWW-Authenticate";
@Override
public Result beforeAuthCheck(final Http.Context context) {
return basicAuthenticate(context);
}
private Result basicAuthenticate(Http.Context context) {
if (PlayAuthenticate.isLoggedIn(context.session())) {
// user is logged in
return null;
}
final String authHeader = context.request().getHeader(AUTHORIZATION);
if (authHeader == null || !authHeader.toLowerCase().startsWith(HEADER_PREFIX.toLowerCase())) {
return onAuthFailure(context, "Basic authentication header is missing");
}
final String auth = authHeader.substring(HEADER_PREFIX.length());
final byte[] decodedAuth;
final String[] credentials;
try {
decodedAuth = Base64.base64ToByteArray(auth);
credentials = new String(decodedAuth, "UTF-8").split(":");
} catch (final IOException e) {
Logger.error("basicAuthenticate", e);
return Results.internalServerError();
}
if (credentials.length != 2) {
return onAuthFailure(context, "Could not authenticate with absent password");
}
final String username = credentials[0];
final String password = credentials[1];
final AuthUser authUser = new AuthUser(password, username);
final Enum result = AuthProvider.getProvider().loginUser(authUser);
if ("USER_LOGGED_IN".equals(result.name())) {
PlayAuthenticate.storeUser(context.session(), authUser);
return null;
}
return onAuthFailure(context, "Authenticate failure");
}
@Override
public Subject getSubject(final Http.Context context) {
// your implementation
}
@Override
public Result onAuthFailure(final Http.Context context,
final String content) {
// your error hangling logic
return super.onAuthFailure(context, content);
}
}
Hopefully it fills in some blanks 希望它填补了一些空白
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.