如何在RESTful API中完成用户身份验证?
[英]How is user authentication done in a RESTful API?
问题描述
I'm trying to develop a simple web service using Recess , which is a web framework aimed at being simple to use and being inherently RESTful. 
我正在尝试使用Recess开发一个简单的Web服务,这是一个旨在易于使用并且本质上是RESTful的Web框架。 I've found it to be very easy to use the CRUD functionality in Recess. 我发现在Recess中使用CRUD功能非常容易。 I've created a model with its backend in a MySQL database, and found that a REST API was already available for use. 我已经在MySQL数据库中创建了一个带有后端的模型,并且发现REST API已经可供使用。
That's great, but the problem is that I have no user authentication, which pretty much renders the really nice functionality I described above completely useless. 很好,但是问题是我没有用户身份验证,这几乎使我上面描述的非常好的功能完全没有用。 In a real world application, authentication would be needed for accessing user-specific resources. 在实际应用中,访问用户特定资源需要身份验证。 For example, let's say I'm developing a simple "to-do" application (which I'm not, by the way). 例如,假设我正在开发一个简单的“待办事项”应用程序(顺便说一下,我不是)。 The user has no interest in what other people put in their to-do lists, so the service needs to identify who the user is, so as to provide the correct data. 用户对其他人在他们的待办事项列表中放置的内容不感兴趣,因此服务需要识别用户身份,以便提供正确的数据。 Also, the user should not be allowed to read, delete or update other peoples' resources. 另外,不应允许用户读取,删除或更新其他人的资源。
This is done normally with a login system. 这通常是通过登录系统完成的。 But for a REST API, how is the user authenticated? 但是对于REST API,如何验证用户身份? Does the client need to provide the user's credentials (like a username and password) every time a request is made? 每次发出请求时,客户端是否需要提供用户的凭据(例如用户名和密码)? How can that be avoided? 如何避免呢? Normally, one can use cookies, but this is probably not good practice, since not all clients are necessarily web browsers. 通常,一个人可以使用cookie,但这可能不是一个好习惯,因为并非所有客户端都一定是Web浏览器。 But if we are to emulate the functionality of cookies, how do we transmit the "cookies'" contents (normally, this is done in the HTTP header)? 但是,如果我们要模拟cookie的功能,我们如何传输“ cookies”的内容(通常是在HTTP标头中完成)? And finally, how can I integrate a solution to these problems in Recess's built-in REST functionality? 最后,我如何在Recess的内置REST功能中集成针对这些问题的解决方案?
As you can see, I'm fairly new to developing REST APIs, so any suggestions and pointers would be welcome. 如您所见,我对开发REST API尚不陌生,因此欢迎您提出任何建议和指针。
1 个解决方案
解决方案1
3 已采纳 2012-10-05 03:32:07
RESTful systems leverage existing technologies already available rather then re-implement them. RESTful系统利用现有的现有技术,然后重新实现它们。 And since HTTP already contains authentication support in the form of Basic Authentication , you should just re-use that. 并且由于HTTP已经包含基本身份验证形式的身份验证支持,因此您应该重新使用它。 It's a widely-supported mechanism for clients to transmit their credentials. 这是客户端传输其凭据的广泛支持的机制。
And yes, the client should send their credentials with each request. 是的,客户端应随每个请求发送其凭据。 Cookies are for human clients who don't like to type in their password repeatedly, and that's not the case here. Cookies适用于不希望重复输入密码的人类客户,在这里情况并非如此。 Cookies imply session statefulness on your server and that can make scalability very difficult. Cookies暗示服务器上的会话有状态,这可能使可伸缩性非常困难。
There are probably a hundred questions on this site about RESTful authentication. 关于RESTful身份验证,此网站上可能存在一百个问题。 I'd encourage you to search for and read the more popular ones. 我鼓励您搜索并阅读最受欢迎的文章。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.