RESTful Service Authentication

2019-04-23 18:32发布

问题:

As per REST spec, the service is supposed to be stateless; but then it becomes difficult to enable authentication. Some of the stuff I have read said "making REST stateful is not end of the world". But that's not the point, the point is to follow the spec and be consistent.

So, I am asking this question here in a hope someone could guide me in the right direction. I am working with Spring MVC to create a REST Service. I do not have views. It is a true REST Service which consumes/produces JSON. I need to have authentication (and authorization down the road) mechanism for this application that is stateless and follows REST specification. The client will be written in JavaScript (Backbone.js, CoffeeScript) and will accept username/password from a User. Then it will post that information to the server.

How can I achieve true stateless authentication (and authorization) in a Spring based application?

Digest Authentication over SSL - Is this the way to go?

回答1:

Session management is different from the state management.

You server side during the handshake can generate a token and every time the client makes call it will have to add that token either to the head or else where for your server to be able to analyze and decide if you can allow the call to continue on.

Server does not need to maintain any state to check the validity of that token that can be done using some algorithm .



回答2:

Have you looked into how Spring Security works ? Using Spring Security I have been able to add custom HTTP Authorization Headers from the client in the REST Request. This is extracted server side, the requesting user is authenticated, and it is possible to authorize access to specific resources.



回答3:

You can use either Basic or Digest authentication over SSL, neither of which implies anything significant about the state. There may also be a cookie sent back by the server, which your client will need to send back when it does further requests (I believe that the Javascript code will handle all that for you). There are other authentication mechanisms possible, but they're more complex and not necessarily suitable. (The other key proper-stateless one is client-authenticated SSL, but that requires the browser to have a client SSL keypair installed and for the server to know what that identity means and it's quite a bit more complex to deploy.)

On the server side, use Spring Security as that makes it pretty easy to handle all this stuff. It works well with Spring MVC.