stackoom
  简体   繁体   中英

Using JDBCRealm securing REST webservices?

 原文  2013-04-09 16:51:59       java/ web-services/ rest/ authentication/ jdbcrealm

Question

I have read very nice answers here how to secure REST-services, but all of them are just pure theory and didn't help so much. How you implement JDBCRealm-FORM authentication when using REST?

Login form 

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login Form</title>
</head>

<body>
<form method="post" action="j_security_check">
<p>You need to log in to access protected information.</p>
<table>
   <tr>
      <td>User name:</td>
      <td><input type="text" name="j_username" /></td>
   </tr>
   <tr>
      <td>Password:</td>
      <td><input type="password" name="j_password" /></td>
   </tr>
</table>
<p><input type="submit" value="Login" /></p>
</form>
</body>
</html>

web.xml 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>How to protect REST</web-resource-name>
        <url-pattern>/protected/*</url-pattern>----> What is that in case of rest?
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
        <role-name>customer</role-name>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>jdbcRealm</realm-name>

</login-config>
<security-role>
    <role-name>admin</role-name>
</security-role>
<security-role>
    <role-name>user</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>customer</role-name>
</security-role>

QUESTIONS:

1) I have created JDBCRealm in Glassfish and it is working. I tested it with another jsf-app. In case of clien-REST-service what is for instance that: <url-pattern>/protected/*</url-pattern> In normal case it refers to "folder" where protected jsp/jsf/xhtml etc pages are, but where now?

2) What about session? I think that it is impossible to use session in stateless context

3) Is it even possible to use FORM-based authentication with REST?

4) Any links to tutorial where somebody wiser than me explain how to secure client - server rest application.

2 answers

solution1
 1  2013-04-09 18:23:35

You cannot have FORM auth with REST because every request must be complete in itself and stateless. Form with redirect isn't. You need to use a standard HTTP header-based mech like Basic, Digest, etc.

solution2
 1  2013-04-09 21:18:13

1) I have created JDBCRealm in Glassfish and it is working. I tested it with another jsf-app. In case of clien-REST-service what is for instance that: /protected/* In normal case it refers to "folder" where protected jsp/jsf/xhtml etc pages are, but where now?

You can choose to protect the entire REST services subdomain, or a portion of it. Assuming you configured the root to be /rest , that is what you would put in your url-pattern.

2) What about session? I think that it is impossible to use session in stateless context

Depends on your REST implementation. With JAX-RS (Jersey) the answer is absolutely yes, you can use the HTTP session. You inject it into your resource class via a @Context annotation: 

@Path("/echo")
public class EchoServiceImpl {
    @Context
    private HttpSession session;
}

Having confirmed that you can use the session, I would strongly advise against it, because RESTful calls are supposed to be stateless.

3) Is it even possible to use FORM-based authentication with REST?

It doesn't make sense using form based authentication for REST, no. You are designing services to be consumed by other computer systems, not by humans. There should be no interactive UI's involved in the process.

4) Any links to tutorial where somebody wiser than me explain how to secure client - server rest application.

This is a tough one, theres lots of guides out there but a lot of them are very specific to the particular technology stack being used in the REST implementation. As a start I would recommend you change your current configuration from FORM to BASIC, and also think about securing your endpoint with SSL. Do remember that when you use Basic Authentication, that you need to include the user credentials in an Authorization header: 

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

You can read up on how to compute the header here

Once comfortable with Basic/Digest authentication, you will then be ready to start looking at more advanced security options like OAuth.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Securing REST Web Service using token (Java) Securing Rest Service Resources Using Apache Shiro FORM based authentication using JDBCRealm Exceptions happen when using JDBCRealm Securing REST using JAVA and an iPhone App using Appcelerator Securing Rest API using Spring Security with AJAX Authentication Securing Jersey based REST service using oAuth 2.0 Generate Server Side session using Angular 5 (REST Webservices) How to parse JSON array using Jersey Rest Webservices and Java How to debug my rest webservices maven project using postman ?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM