简体繁体 English

Web客户端到后端REST服务的angular2登录页面

[英]angular2 login page for a web client to a back-end REST service

原文 2016-10-28 15:21:38 1 1 rest/ security/ authentication/ angular

I am writing an Angular2 client web application client as a front end for a REST services providing access to some resources. 我正在编写Angular2客户端Web应用程序客户端，作为REST服务的前端，以提供对某些资源的访问。

The REST service is protected with basic HTTP auth, and allows unauthenticated access for some of its endpoints (for instance GET /freeresource ), while requires user/password authentication for other endpoints (say GET /protectedresource , or POST /freeresource , etc.). REST服务受基本HTTP身份验证保护，并允许其某些端点（例如GET /freeresource ）进行未经身份验证的访问，而要求其他端点进行用户/密码身份验证（例如GET /protectedresource或POST /freeresource等）。。

For my Angular2 client, I would like to implement a loging page allowing access to the web application with the same ":" accepted by REST service. 对于我的Angular2客户端，我想实现一个日志页面，该页面允许使用REST服务接受的相同“：”访问Web应用程序。 For this I'm following this tutorial : https://medium.com/@blacksonic86/angular-2-authentication-revisited-611bf7373bf9#.myifbz656 为此，我正在关注本教程： https : //medium.com/@blacksonic86/angular-2-authentication-revisited-611bf7373bf9#.myifbz656

The problem is that the above tutorial assumes that the backend REST service has an explicit /login endpoint returning an authentication token to which you post your credentials, while my REST service does not have such an endpoint, but just returns an authorization error when passed missing or wrong credentials for endpoints that require them. 问题是上面的教程假定后端REST服务具有显式的/login终结点，该终结点返回您向其发布凭据的身份验证令牌，而我的REST服务没有这样的终结点，但是在丢失时仅返回授权错误或需要它们的端点的凭据错误。 I didn't find any alternative article or tutorial for a situation like this. 对于这种情况，我没有找到任何替代文章或教程。

What is the correct way of proceeding in such a case? 在这种情况下，正确的处理方式是什么？ I could "simulate" the /login endpoint by accessing for instance a protected resource with username and password read from the app login page and trying to access a protected resource GET /protectedresource , considering as a failed login if this call returns an unauthorized error, but clearly this is not a satisfying solution (what today is a protected resource could become freely accessible tomorrow, for instance), so what is a "clean" way to implement the web app login in this case? 我可以通过例如使用从应用程序登录页面读取的用户名和密码访问受保护的资源并尝试访问受保护的资源GET /protectedresource来“模拟” /login端点，如果此调用返回unauthorized错误，则视为登录失败，但这显然不是一个令人满意的解决方案（例如，今天什么是明天可以免费访问的受保护资源），那么在这种情况下实现Web应用程序登录的“干净”方法是什么？

1 个解决方案

You don't need to simulate the /login endpoint. 您不需要模拟/ login端点。 You just need to know on the client accessing which resource requires authentication. 您只需要知道在客户端上访问哪些资源需要身份验证。 You can implement the same "CanActivate" method from the tutorial, and write your service call to pass credentials (or use the local storage if the user is authenticated already) when you make the REST call. 您可以在本教程中实现相同的“ CanActivate”方法，并在进行REST调用时编写服务调用以传递凭据（如果用户已通过身份验证，则使用本地存储）。 If your REST endpoints require authentication every time, get them from the user at the login page, store them in the local storage, then pass them to the endpoints that need authentication. 如果您的REST端点每次都需要身份验证，请在登录页面上从用户处获取它们，将其存储在本地存储中，然后将其传递给需要身份验证的端点。