使用Android的Spring Security调用REST Web服务
[英]Calling a REST web service secured with Spring Security from Android
问题描述
I'm hosting a REST web service in a Grails application, using Spring Security, ie: 
我正在使用Spring Security在Grails应用程序中托管REST Web服务,即:
@Secured(['IS_AUTHENTICATED_REMEMBERED'])
def save = {
println "Save Ride REST WebMethod called"
}
I'm calling it from an Android app. 我是从Android应用程序调用它。 (Calling the unsecured service works just fine.) (调用不安全的服务工作正常。)
To call the service, I'm manually building up a request ( HttpUriRequest ) and executing it with an HttpClient . 要调用该服务,我手动构建一个请求( HttpUriRequest )并使用HttpClient执行它。
I'm wondering what the best practices are, and how to implement them... Specifically, should I: 我想知道最佳实践是什么,以及如何实现它们......具体来说,我应该:
- Perform a login once, to retrieve a JSESSION_ID, then add a header containing it into the HttpUriRequest for each subsequent request? 执行一次登录,检索JSESSION_ID,然后为每个后续请求将包含它的标题添加到HttpUriRequest中?
- Or (not sure how I would even do this) include the login and password directly on each request, foregoing the cookie/server-side session 或者(不确定我甚至会这样做)直接在每个请求中包含登录名和密码,在cookie /服务器端会话之前
I think I can get option 1 working, but am not sure if Spring Security permits (2), if that's the way to go... Thanks! 我想我可以选择1工作,但我不确定Spring Security是否允许(2),如果这是要走的路......谢谢!
--also, there isn't any library I'm missing that would do all this for me is there? - 而且,没有任何我想念的图书馆会为我做这一切吗? :) :)
2 个解决方案
解决方案1
10 已采纳 2011-01-12 02:33:22
Spring security does support both basic authentication and form based authentication (embedding the username/password in the URL). Spring安全性确实支持基本身份验证和基于表单的身份验证(在URL中嵌入用户名/密码)。
A REST service is generally authenticated on each and every request, not normally by a session. REST服务通常在每个请求上进行身份验证,通常不是通过会话进行身份验证。 The default spring security authentication (assuming you're on 3.x) should look for basic authentication parameters or form parameters (j_username and j_password) (in the form http://you.com/rest_service?j_username=xyz&j_password=abc ). 默认的spring安全身份验证(假设您使用的是3.x)应查找基本身份验证参数或表单参数(j_username和j_password)(格式为http://you.com/rest_service?j_username=xyz&j_password=abc )。
Manually tacking the j_username/j_password onto the URL, adding them as post parameters (I believe), or setting the basic authentication username/password should all work to authenticate a REST service against the default Spring Security interceptors, right out of the box. 手动将j_username / j_password添加到URL上,将它们添加为post参数(我相信),或者设置基本身份验证用户名/密码都应该可以使用默认的Spring Security拦截器来验证REST服务。
I will admit that I haven't tried this on REST services, though I do clearly recall reading exactly this in the docs as I did the same for basic page logins on spring security recently. 我承认我还没有在REST服务上尝试过这个,尽管我确实清楚地记得在文档中读到这一点,因为我最近对Spring安全性的基本页面登录做了同样的事情。 Disclaimer over. 免责声明。
解决方案2
9 2011-07-25 13:44:52
I think you can use a login-once-and-get-a-token method that's similar to how oauth works. 我认为你可以使用类似于oauth工作方式的login-once-and-get-a-token方法。
sending username and password across the network outside of secured channel(https/ssl) is a terrible idea. 在安全通道(https / ssl)之外通过网络发送用户名和密码是一个糟糕的主意。 anyone on the network can sniff your request package and see the clear text password. 网络上的任何人都可以嗅探您的请求包并查看明文密码。
on the other hand, if you use a token method, since the token string is randomly generated, even the token is compromised, the worst case is someone can use the token accessing your REST API. 另一方面,如果使用令牌方法,由于令牌字符串是随机生成的,即使令牌被泄露,最坏的情况是有人可以使用访问REST API的令牌。
another solution is going through ssl tunnel(HTTPS). 另一种解决方案是通过ssl隧道(HTTPS)。 i have actually done a comparison and result shows: 80 requests/min(https) vs 300 requests/min(http) 我实际做了一个比较,结果显示:80个请求/分钟(https)vs 300个请求/分钟(http)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.