stackoom
  简体   繁体   中英

User authentication for web services in Java

 原文  2012-09-24 14:16:47       java/ web-services/ security/ authentication/ tomcat

Question

Suppose I have a simple Java server application, which implements a few web ( REST ) services. The application is deployed as war in Tomcat . Now I would like to add user authentication as follows:

  • Add a plain text file users with user names and passwords on the server side. User is required to send both user name and password with each request and the server tests them against the file.

  • In order to prevent sending passwords as clear text I am considering one-way encryption just like one used in /etc/passwd . So users will be required to encrypt their passwords before sending them in the requests.

Does this approach make any sense? Is there any "ready-to-use" implementation of this approach in Java?

4 answers

solution1
 3  2012-09-24 14:24:04

Spring Security ? This a non-intrusive way of securing web apps and very flexible in how the data can be stored - ie a plain text file, xml or a database of usernames and passwords.

solution2
 1  2012-09-24 14:28:11

There are a ton of ways to skin this cat. First, you probably want to use digest authentication or SSL form-based authentication, since relying on a client-side hash can be subjected to replay attacks.

My recommendation would be to use Spring Security. Take a look at this example of HTTP digest authentication.

Another way might be to use the servlet container to accomplish this for you. Take a look here for both digest and form-based auth techniques.

Also, you should really read up on proper password storage techniques for web applications . Make sure you're using a sufficiently complex (aka slow) hashing algorithm like bcrypt and give each password a unique salt. Finally, make sure the transport of credentials is secure, either by using HTTP digest authentication (alright), or by using SSL form-based authentication (better).

solution3
 1  2012-09-24 14:29:42

Use a RESTful framework like Jersey for example. But for authentication you must implement session management with request filters. As for users management you should use a database like MySQL.

solution4
 1  2012-09-24 14:31:10

是的,从BASIC(通过SSL),OAuth,Kerberos,Spring Security等中,有很多现有的好的身份验证解决方案。我建议对WS-Security主题进行研究,因为它有很多层(容器,过滤器,应用程序本身) )可以进行身份​​验证的位置。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Java Web Services Authentication Lotus Notes Java options for web user authentication JAX-RS - Authentication and getting user data in RESTful web services Develop authentication for user's before accessing RESTful Web Services Security and authentication in web services How to use LDAP authentication for the Exchange Web Services connection in Java? Java Restful Web Services (jax rs) authentication pattern Adding user authentication in java web app User authentication management with user token and session management in java web application Exchange web services Kerberos Authentication
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM