使用REST的用户身份验证
[英]User Authentication using REST
问题描述
I apologize if my questions seems to be repetitive but I couldn't find a answer for this yet. 
如果我的问题似乎重复,我很抱歉,但我还没有找到答案。
I am building a REST based application using Spring 3.0 and plan to deploy to Google App Engine eventually. 我正在使用Spring 3.0构建基于REST的应用程序,并计划最终部署到Google App Engine。 Now my clients could be Native Android, iPhone, or a Web Based Client. 现在我的客户可能是原生Android,iPhone或基于Web的客户端。
My users need to login using username and password stored in server inside a persistence layer. 我的用户需要使用存储在持久层内的服务器中的用户名和密码进行登录。 Now say my Android client opens the app and login screen is shown is user. 现在说我的Android客户端打开应用程序,并显示登录屏幕是用户。 Now user types in username and password. 现在用户输入用户名和密码。
I know it would be a post and say my service endpoint is registration. 我知道这将是一个帖子,并说我的服务端点是注册。 So it would be something like 所以它会是这样的
POST /registration POST /注册
Now I plan to put username and password in body of message in Json or XML format. 现在我计划将用户名和密码放在Json或XML格式的消息正文中。 My question is "is this the right way to do it?" 我的问题是“这是正确的方法吗?” I am planning to make it SSL but how should I really send this sensitive info like this in body . 我打算把它变成SSL,但我该如何真正发送这样的敏感信息呢。 I plan to return an OAUth token on successful authentication and use that to validate the user in all future services calls. 我计划在成功进行身份验证时返回OAUth令牌,并使用该令牌在将来的所有服务调用中验证用户。
Thanks in advance. 提前致谢。
2 个解决方案
解决方案1
2 已采纳 2011-04-07 15:39:01
Sounds like you have the right idea. 听起来你有正确的想法。 SSL should ensure whichever method you choose to send it in is secure. SSL应该确保您选择发送它的哪种方法是安全的。
Remember to salt + hash the passwords before storing them: web cryptography - salted hash and other tasty dishes 记住在存储密码之前对密码进行加密 +哈希: 网络加密 - 盐渍哈希和其他美味菜肴
解决方案2
2 2011-04-07 20:45:28
Use the authorization header for sending the username and password information. 使用授权标头发送用户名和密码信息。 That's what it is there for. 这就是它的用途。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.