堆栈内存溢出
  简体   繁体   English

使用 Jersey 的基于用户访问的 REST 设计

[英]REST Design of User-based access using Jersey

 原文  2015-07-09 17:44:53       java/ rest/ oauth-2.0/ jersey

问题描述

So I am trying to get my head around how to design my REST resources and how security fits into all of this.所以我正在努力思考如何设计我的 REST 资源以及安全性如何适应所有这些。 I am new to REST and user authentication in general so please bear with me - I am sure this is a really stupid question.我是 REST 和用户身份验证的新手,所以请耐心等待 - 我相信这是一个非常愚蠢的问题。

Now I know that you can define security roles for users, and restrict access to resources depending on whether they are an admin or not.现在我知道您可以为用户定义安全角色,并根据他们是否是管理员来限制对资源的访问。

Where I am getting confused is say I have a situation where a certain user, 1234 say, has a list of subscriptions.我感到困惑的地方是说我遇到了某个用户(例如 1234)有订阅列表的情况。 Now only user 1234 should be able to access his subscriptions.现在只有用户 1234 应该能够访问他的订阅。

GET /user_id/1234/subscriptions

In this scenario, using roles doesn't make any sense, as you would have to define roles for each user.在这种情况下,使用角色没有任何意义,因为您必须为每个用户定义角色。 Do we have to control this access by doing some kind of check in the code to make sure this user has access?我们是否必须通过在代码中进行某种检查来控制此访问权限以确保该用户具有访问权限? For example:例如:

@Path("/user_id/{user_id}/subscriptions")
@GET
public getSubscriptions(@PathParam("user_id" int user_id))
{
    if(user_id == "some code here that checks what the user_id of the current user is")
    {
        return Response.ok(getUserSubscriptionsFromDB(user_id));
    }
    else
    {
        return Response.status(Status.UNAUTHORIZED).build();
    }
}

Is this how it is supposed to be done, or have i got it all wrong?这是应该如何完成的,还是我弄错了? If that is how you would go about it, what would the actual code in the "" look like?如果这就是您的处理方式,“”中的实际代码会是什么样子? What object would I be interrogating to get my hands on the user_id?我会询问什么对象来获取 user_id? [The plan is in the future to use OAUTH2 social login for google, facebook etc.... but I might just use basic authentication too] [计划在未来使用 OAUTH2 社交登录用于 google、facebook 等......但我也可能只使用基本身份验证]

1 个解决方案

解决方案1
 1 已采纳  2015-07-09 18:31:20

You basically got it right.你基本上做对了。 The terminology for this type of authorization is Permission/Activity Based Authorization and is widely used for CRUD operations on recources like RESTful services.这种授权的术语是基于权限/活动的授权,广泛用于对 RESTful 服务等资源的 CRUD 操作。

A pseudo code would more look like this:伪代码看起来更像这样:

@Path("/users/{userId}/subscriptions")
@GET
public getSubscriptions(@PathParam("userId" int userId))
{
    if(getSubject().isPermitted("subscriptions:read:"+userId)
    {
        return Response.ok(getUserSubscriptionsFromDB(userId));
    }
    else
    {
        return Response.status(Status.UNAUTHORIZED).build();
    }
}

You might want to have a look on Apache Shiro which has pretty decent permission based authorization support.您可能想看看Apache Shiro ,它具有相当不错的基于权限的授权支持。

You additionally might want to have a look on best practices for naming your REST resources .您可能还想了解命名REST 资源的最佳实践。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在jax-rs rest服务中实现基于用户的定制授权? - How to implement custom user-based authorization in jax-rs rest service? 在Android Firebase中实现基于用户的安全性 - Implementing user-based security in Android Firebase 使用 jQuery 访问基于 Jersey 的 RESTful 服务 - Access Jersey based RESTful service using jQuery 使用Jersey使用Java进行REST - REST with Java using Jersey 使用Jersey 2的REST API - REST API using Jersey 2 使用 oAuth 2.0 保护基于 Jersey 的 REST 服务 - Securing Jersey based REST service using oAuth 2.0 Jersey REST服务上的用户身份验证 - User authentication on a Jersey REST service 推荐系统:简单的基于用户的协同过滤,可以精确评估和召回 - Recommender system: simple user-based collaborative filtering to evaluate with precision and recall RESTful Jersey用户访问准则 - Guidelines for RESTful Jersey User access 使用jersey在URL中进行REST版本控制 - REST versioning in URL using jersey
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM