stackoom
  简体   繁体   中英

How to authenticate users from a rest service

 原文  2013-12-17 16:44:03       java/ security/ authentication/ dropwizard

Question

I am trying to authenticate users with a REST service I built using drop wizard. From previous questions I found great example of authenticating with openID on github: https://github.com/gary-rowe/DropwizardOpenID

However, I don't want to deal with openID at the moment and simply want users to 1. Signup, 2. Signin

My questions/confusions are:

  1. For Signup: I'm thinking about sending users's username/password as a POST request with the credentials as either form parameters or part of JSON body. However, isn't there a security risk here of sending password in plain text?

  2. For Sing-in I'm thinking about using Authenticator in Dropwizard.

  3. I don't want to store passwords in plain text. What strategy should I follow after I get the users' password in the POST as plain text? I'm looking for some java libraries that can assist in password salt and MD5

2 answers

solution1
 1  2013-12-17 19:26:16

Looking at the docs, we can see that Dropwizard supports a standalone OAuth2 implementation:

http://dropwizard.codahale.com/manual/auth/#oauth2

OAuth2 has several advantages, many of which can be read about here: OAuth 2.0: Benefits and use cases — why?

Things to note:

  • when dealing with authentication, you should always host over HTTPS to ensure transport encryption
  • Dropwizard claims their OAuth2 implementation isn't yet finalized, and may change in the future. As a fall back, they do support Basic auth as well, which when used over HTTPS would be still reasonably secure.
  • Implementing this does not involve using any third party "social" authentication services such as Google or Facebook.

solution2
 1 ACCPTED  2013-12-18 12:30:42

Thanks for the shout out for the Dropwizard OpenID project. Glad it was able to get you started.

If you want a pure web form type approach, take a look at another of my projects MultiBit Merchant which provides multiple authentication methods (web form, HMAC, cookie).

You'll need to dig around to really see it working since this project is not designed as a demo as such and is very much a work in progress.

After loading the project, look for WebFormClientAuthenticator which will get you in the right area.

The general principles involved with Dropwizard authentication are discussed in this blog article . Although it targets HMAC you can easily adapt it for web form or cookie using the source code referenced earlier.

It's all MIT license so just use it as you need.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to authenticate users from sharepoint 2013 web service and active directory How to authenticate users in Java(REST) app? How to authenticate users from database with an authentication provider? how to do authenticate in REST web service using jersey and java How to authenticate users in Jersey How to authenticate users from an oracle database using jdbc in spring security? How to configure open fire to authenticate users from external database? authenticate users from android in Yii How to authenticate users by their role declarative? How to invoke a HTTPS Rest service from another Rest service?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM