简体繁体 English

如何从休息服务验证用户

[英]How to authenticate users from a rest service

原文 2013-12-17 16:44:03 6 2 java/ security/ authentication/ dropwizard

I am trying to authenticate users with a REST service I built using drop wizard. 我正在尝试使用drop wizard使用我构建的REST服务对用户进行身份验证。 From previous questions I found great example of authenticating with openID on github: https://github.com/gary-rowe/DropwizardOpenID 从以前的问题我发现在github上使用openID进行身份验证的很好的例子： https ： //github.com/gary-rowe/DropwizardOpenID

However, I don't want to deal with openID at the moment and simply want users to 1. Signup, 2. Signin 但是，我现在不想处理openID，只是希望用户1.注册，2。登录

My questions/confusions are: 我的问题/困惑是：

For Signup: I'm thinking about sending users's username/password as a POST request with the credentials as either form parameters or part of JSON body. 对于注册：我正在考虑将用户的用户名/密码作为POST请求发送，其中凭据作为表单参数或JSON正文的一部分。 However, isn't there a security risk here of sending password in plain text? 但是，以明文方式发送密码不存在安全风险吗？
For Sing-in I'm thinking about using Authenticator in Dropwizard. 对于Sing-in，我正在考虑在Dropwizard中使用Authenticator 。
I don't want to store passwords in plain text. 我不想以纯文本格式存储密码。 What strategy should I follow after I get the users' password in the POST as plain text? 在POST中将用户密码作为纯文本后，我应该遵循什么策略？ I'm looking for some java libraries that can assist in password salt and MD5 我正在寻找一些可以帮助密码盐和MD5的java库

2 个解决方案

Looking at the docs, we can see that Dropwizard supports a standalone OAuth2 implementation: 查看文档，我们可以看到Dropwizard支持独立的OAuth2实现：

http://dropwizard.codahale.com/manual/auth/#oauth2 http://dropwizard.codahale.com/manual/auth/#oauth2

OAuth2 has several advantages, many of which can be read about here: OAuth 2.0: Benefits and use cases — why? OAuth2有几个优点，其中许多可以在这里阅读： OAuth 2.0：好处和用例 - 为什么？

Things to note: 注意事项：

when dealing with authentication, you should always host over HTTPS to ensure transport encryption 在处理身份验证时，您应始终通过HTTPS进行托管以确保传输加密
Dropwizard claims their OAuth2 implementation isn't yet finalized, and may change in the future. Dropwizard声称他们的OAuth2实现尚未最终确定，并且可能在未来发生变化。 As a fall back, they do support Basic auth as well, which when used over HTTPS would be still reasonably secure. 作为后退，它们也支持Basic auth，当通过HTTPS使用时仍然相当安全。
Implementing this does not involve using any third party "social" authentication services such as Google or Facebook. 实现此功能不涉及使用任何第三方“社交”身份验证服务，如Google或Facebook。

Thanks for the shout out for the Dropwizard OpenID project. 感谢您对Dropwizard OpenID项目的呐喊。 Glad it was able to get you started. 很高兴能够让你入门。

If you want a pure web form type approach, take a look at another of my projects MultiBit Merchant which provides multiple authentication methods (web form, HMAC, cookie). 如果您需要纯Web表单类型方法，请查看我的另一个项目MultiBit Merchant ，它提供多种身份验证方法（Web表单，HMAC，cookie）。

You'll need to dig around to really see it working since this project is not designed as a demo as such and is very much a work in progress. 你需要深入挖掘才能真正看到它的工作原理，因为这个项目并不像这样的演示而设计，而且正在进行中。

After loading the project, look for WebFormClientAuthenticator which will get you in the right area. 加载项目后，查找WebFormClientAuthenticator ，它将使您进入正确的区域。

The general principles involved with Dropwizard authentication are discussed in this blog article . 本博客文章中讨论了Dropwizard身份验证所涉及的一般原则。 Although it targets HMAC you can easily adapt it for web form or cookie using the source code referenced earlier. 虽然它针对HMAC，但您可以使用前面引用的源代码轻松地将其调整为Web表单或cookie。

It's all MIT license so just use it as you need. 这都是麻省理工学院的许可证，所以只需根据需要使用它。