问题描述:

I have read very nice answers here how to secure REST-services, but all of them are just pure theory and didn't help so much. How you implement JDBCRealm-FORM authentication when using REST?

Login form

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title>Login Form</title>

</head>

<body>

<form method="post" action="j_security_check">

<p>You need to log in to access protected information.</p>

<table>

<tr>

<td>User name:</td>

<td><input type="text" name="j_username" /></td>

</tr>

<tr>

<td>Password:</td>

<td><input type="password" name="j_password" /></td>

</tr>

</table>

<p><input type="submit" value="Login" /></p>

</form>

</body>

</html>

web.xml

<security-constraint>

<web-resource-collection>

<web-resource-name>How to protect REST</web-resource-name>

<url-pattern>/protected/*</url-pattern>----> What is that in case of rest?

<http-method>GET</http-method>

<http-method>POST</http-method>

<http-method>HEAD</http-method>

<http-method>PUT</http-method>

<http-method>OPTIONS</http-method>

<http-method>TRACE</http-method>

<http-method>DELETE</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>admin</role-name>

<role-name>customer</role-name>

<role-name>user</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>FORM</auth-method>

<realm-name>jdbcRealm</realm-name>

</login-config>

<security-role>

<role-name>admin</role-name>

</security-role>

<security-role>

<role-name>user</role-name>

</security-role>

<security-role>

<description/>

<role-name>customer</role-name>

</security-role>

QUESTIONS:

1) I have created JDBCRealm in Glassfish and it is working. I tested it with another jsf-app. In case of clien-REST-service what is for instance that: <url-pattern>/protected/*</url-pattern> In normal case it refers to "folder" where protected jsp/jsf/xhtml etc pages are, but where now?

2) What about session? I think that it is impossible to use session in stateless context

3) Is it even possible to use FORM-based authentication with REST?

4) Any links to tutorial where somebody wiser than me explain how to secure client - server rest application.

网友答案:

You cannot have FORM auth with REST because every request must be complete in itself and stateless. Form with redirect isn't. You need to use a standard HTTP header-based mech like Basic, Digest, etc.

网友答案:

1) I have created JDBCRealm in Glassfish and it is working. I tested it with another jsf-app. In case of clien-REST-service what is for instance that: /protected/* In normal case it refers to "folder" where protected jsp/jsf/xhtml etc pages are, but where now?

You can choose to protect the entire REST services subdomain, or a portion of it. Assuming you configured the root to be /rest, that is what you would put in your url-pattern.

2) What about session? I think that it is impossible to use session in stateless context

Depends on your REST implementation. With JAX-RS (Jersey) the answer is absolutely yes, you can use the HTTP session. You inject it into your resource class via a @Context annotation:

@Path("/echo")
public class EchoServiceImpl {
    @Context
    private HttpSession session;
}

Having confirmed that you can use the session, I would strongly advise against it, because RESTful calls are supposed to be stateless.

3) Is it even possible to use FORM-based authentication with REST?

It doesn't make sense using form based authentication for REST, no. You are designing services to be consumed by other computer systems, not by humans. There should be no interactive UI's involved in the process.

4) Any links to tutorial where somebody wiser than me explain how to secure client - server rest application.

This is a tough one, theres lots of guides out there but a lot of them are very specific to the particular technology stack being used in the REST implementation. As a start I would recommend you change your current configuration from FORM to BASIC, and also think about securing your endpoint with SSL. Do remember that when you use Basic Authentication, that you need to include the user credentials in an Authorization header:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

You can read up on how to compute the header here

Once comfortable with Basic/Digest authentication, you will then be ready to start looking at more advanced security options like OAuth.

相关阅读:
Top