简体繁体 English

使用身份验证令牌的Java REST服务

[英]Java REST service using authentication token

原文 2012-12-21 09:08:59 2 3 java/ security/ rest/ java-ee/ authentication

On my web app using Java EE 6. I want to expose some of my functionality as a Json Rest Service. 在我使用Java EE 6的Web应用程序上。我想将我的一些功能公开为Json Rest Service。 I want to use authentication tokens for login, User will send their username, password and server will send back a token, which will be used to authorize the user on their further requests for a given time.. 我想使用身份验证令牌进行登录，用户将发送他们的用户名，密码和服务器将发回一个令牌，该令牌将用于授权用户在给定时间内的进一步请求。

A few questions bothering me so far; 到目前为止，有几个问题困扰着我;

When the server creates the token and sends to client, should server save it in a DB OR in a Bean using something like a hashtable as userid-token pairs? 当服务器创建令牌并发送到客户端时，服务器是否应该使用像哈希表这样的用户ID令牌对将其保存在数据库中或Bean中？
Can I get some help using any Java EE specific API or this has to be all custom code? 我可以使用任何Java EE特定API获得一些帮助，或者这必须是所有自定义代码吗？

3 个解决方案

Heres my input: 继承了我的意见：

I would save the token in DB, in case you need to restart the server you don't want to lose all your user's tokens. 我会将令牌保存在DB中，以防您需要重新启动服务器而不想丢失所有用户的令牌。 You could potentially save it in memory as well to speed up requests and only look it up in DB if it is not found in memory. 您可以将其保存在内存中以加快请求速度，只有在内存中找不到时才在DB中查找。
I would accept the token in the header. 我会接受标题中的标记。 I would put the rest service on HTTPS so the request is encrypted and then you don't need to worry about encrypting the token manually in the request 我会将其余服务放在HTTPS上，以便请求被加密，然后您不必担心在请求中手动加密令牌
I would probably look at JAX-RS and see what features it offers 我可能会看看JAX-RS，看看它提供了哪些功能

I recently blogged on how to set up Role-based authorization in a JAX-RS REST API using both a simple session token approach and a more secure method of signing requests using the session token as a shared secret. 我最近在博客上讨论了如何使用简单的会话令牌方法和使用会话令牌作为共享密钥签署请求的更安全方法，在JAX-RS REST API中设置基于角色的授权。

It boils down to: 归结为：

Get a session token from the server along with some identifier for the user 从服务器获取会话令牌以及用户的一些标识符
Use the token to encrypt the information in the request 使用令牌加密请求中的信息
Also use a timestamp and nonce value to prevent MITM attacks 还使用时间戳和随机数值来防止MITM攻击
Never pass the session token back and forth except for when retrieving it initially 除了最初检索会话令牌之外，决不要来回传递会话令牌
Have an expiry policy on session tokens 对会话令牌有一个到期政策

Saving the token in a bean or hash table would not be persistent. 将令牌保存在bean或哈希表中不会持久。 A DB would persist between executions. DB会在执行之间持续存在。

If you are going to be using REST then you can either pass the authentication in the parameters to the method, or in the request header itself. 如果您要使用REST，则可以将参数中的身份验证传递给方法，也可以传递给请求头本身。 Encryption is a different matter. 加密是另一回事。 I guess it depends on the scale of the system, and how open it is. 我想这取决于系统的规模，以及它是多么开放。 If security is a top importance, then yes, you should find some form of encryption. 如果安全性是最重要的，那么是的，您应该找到某种形式的加密。

I have done similar things using the Spring Framework , and Spring Security . 我使用Spring Framework和Spring Security做了类似的事情。 These things are relatively simple using this. 使用这些东西相对简单。 To write custom code is to reinvent the wheel. 编写自定义代码就是重新发明轮子。 There are many frameworks out there which will help you. 有很多框架可以帮助你。 However, you would then have the learning curve of the framework. 但是，您将拥有框架的学习曲线。