简体繁体 English

REST HTTP身份验证 - 如何？

[英]REST HTTP Authentication - How?

原文 2012-01-09 00:01:00 8 4 java/ web-services/ authentication/ resteasy

So, I'm developing a REST webservice using RESTeasy and Google App Engine. 所以，我正在使用RESTeasy和Google App Engine开发REST Web服务。 My question isn't related to GAE, but I mentioned it just in case it matters. 我的问题与GAE无关，但我提到它只是在重要的情况下。 It happens that naturally I need to secure my resources and my own users (not Google's). 事实上，我需要保护我的资源和我自己的用户（不是谷歌的）。

Securing a REST webservice seems like a very controversial subject, or at least a very 'liberal' one. 保护REST Web服务似乎是一个非常有争议的主题，或者至少是一个非常“自由”的主题。 REST doesn't impose any standard on this matter. REST没有对此事项施加任何标准。 From what I've researched on the web and literature, there are at least 3 approaches that I think might fit in my application: 根据我在网络和文献上的研究，我认为至少有3种方法可能适用于我的应用程序：

HTTP Basic (with SSL) HTTP Basic （使用SSL）
HTTP Digest (with SSL) HTTP摘要 （使用SSL）
OAuth OAuth的

OAuth seems like the most complete approach. OAuth似乎是最完整的方法。 But I don't think that such a complexity is needed because I will not need to authorize any 3rd party applications. 但我认为不需要这么复杂，因为我不需要授权任何第三方应用程序。 It is a webservice to be consumed by my own client applications only. 它是仅由我自己的客户端应用程序使用的Web服务。

HTTP Basic and HTTP Digest appear as the most simple ones on the web, but the fact is that I've never found a concrete implementation of them using RESTeasy, for example. HTTP Basic和HTTP Digest在Web上看起来是最简单的，但事实是我从未使用RESTeasy找到它们的具体实现，例如。 I've found this page and this one in RESTeasy's documentation. 我发现这个网页和这一个 RestEasy的的文档。 They are indeed very interesting, but they tell little or nothing on this subject (HTTP Basic or Digest). 它们确实非常有趣，但它们对此主题（HTTP Basic或Digest）几乎没有任何说明。

So, here I am asking: 所以，我在这里问：

How do I secure my WebService using HTTP Basic or Digest in RESTeasy? 如何使用RESTeasy中的HTTP Basic或Digest保护我的WebService？

Perhaps it is so simple that it isn't worth mentioning in the documentation or anywhere else? 也许这很简单，在文档中或其他任何地方都不值得一提？ Also, if anyone can provide me some insight on the matter of securing RESTful webservices, it could be helpful. 此外，如果有人能够就保护RESTful Web服务的问题向我提供一些见解，那么它可能会有所帮助。

Am I choosing the right approaches? 我选择了正确的方法吗？

4 个解决方案

The simplest way to secure a REST API is to use HTTP Basic authentication over SSL. 保护REST API的最简单方法是使用SSL上的HTTP基本身份验证。 Since the headers are encrypted there is not much point of using Digest. 由于标头是加密的，因此使用摘要没有多大意义。 This should work great as long as you can keep the password secure on the client(s). 只要您可以在客户端上保持密码安全，这应该可以正常工作。

I've managed to accomplish this by using RESTeasy's Interceptors. 我已经设法通过使用RESTeasy的拦截器来实现这一目标。 Basically the requests are intercepted by using a listener like class. 基本上，通过使用像类这样的监听器来拦截请求。 In this class I inspect for the request's HTTP headers and then the normal Basic-Auth process goes on. 在这个类中，我检查请求的HTTP头，然后继续正常的Basic-Auth过程。

Useful links: 有用的链接：

http://en.wikipedia.org/wiki/Basic_access_authentication http://en.wikipedia.org/wiki/Basic_access_authentication
Passing parameters in the message header with a REST API 使用REST API传递消息头中的参数
http://www.alemoi.com/dev/httpaccess/ (the Servlet part) http://www.alemoi.com/dev/httpaccess/(Servlet部分）

I hope this helps anyone. 我希望这可以帮助任何人。

Thanks. 谢谢。

you will definitely face a security risk when using any authentication method without SSL. 使用任何没有SSL的身份验证方法时，您肯定会面临安全风险。

but if you did use SSL, you will usually suffer from a poor performance. 但如果你确实使用了SSL，那么你通常会遇到性能不佳的问题。

Oauth is actually a solution to allow 3rd party to obtain access to your webservices. Oauth实际上是一种允许第三方获取对您的Web服务的访问权限的解决方案。

due to the limited selection, my solution to a current webservices that require authentication used the combination of SSL+basic 由于选择有限，我对需要身份验证的当前Web服务的解决方案使用了SSL + basic的组合

You might look at using OAuth 2 . 您可以查看使用OAuth 2 。 It is significantly simpler then OAuth 1 and is actively being used on large REST API by Facebook and Google. 它比OAuth 1简单得多，并且被Facebook和Google主动用于大型REST API。