Rest Web Service中的两种SSL / TLS身份验证
[英]two way SSL/TLS authentication in a Rest Web Service
问题描述
I am going to expose my situation. 
我将揭露我的处境。 I have a REST application running on Apache Tomcat 7.0. 我有一个在Apache Tomcat 7.0上运行的REST应用程序。 The question is that I want to authenticate and create client roles on the rest API server in order to allow users make some actions or not. 问题是我想在其余的API服务器上进行身份验证并创建客户端角色,以便允许用户执行或不执行某些操作。 The authentication and roles of clients will be determined by the SSL/TLS client certificate that clients have to send to the server. 客户端的身份验证和角色将由客户端必须发送到服务器的SSL / TLS客户端证书确定。
Strategy is: 策略是:
- a Rest Client application sends a request to the server. Rest Client应用程序将请求发送到服务器。
- Client apart from sends actions on the post request, sends his own SSL/TLS certification (I don't know how). 客户端除了对发布请求发送操作外,还发送自己的SSL / TLS认证(我不知道如何)。
- Rest Web Service receives this request from the client, process it and determines with SSL/TLS certificate the client role, in order to answer if the action request is allowed or not. Rest Web Service从客户端接收此请求,进行处理,并使用SSL / TLS证书确定客户端角色,以回答是否允许该操作请求。
Is this feasible? 这可行吗? Can anybody help with some tutorials or other posts? 有人可以帮忙一些教程或其他文章吗?
1 个解决方案
解决方案1
-3 已采纳 2014-11-05 20:50:43
We adopted HMAC authentication in our REST services. 我们在REST服务中采用了HMAC身份验证。 Good read: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/ 好的阅读: http : //www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.