REST 应用程序中的基本身份验证
环境:
- 爪哇岛
- 玻璃鱼
- 不同机器中的 REST 服务
- HTML5-client with AJAX and JQuery
- 泽西
这是我到目前为止实现的:
HTML5-client
$('#btnSignIn').click(function () {
var username = $("#username").val();
var password = $("#password").val();
function make_base_auth(user, password) {
var tok = user + ':' + password;
var final = "Basic " + $.base64.encode(tok);
console.log("FINAL---->" + final);
alert("FINAL---->" + final);
return final;
}
$.ajax({
type: "GET",
contentType: "application/json",
url: "http://localhost:8080/SesameService/webresources/users/secured/login",
crossDomain: true,
dataType: "text",
async: false,
data: {},
beforeSend: function (xhr) {
xhr.setRequestHeader('authorization', make_base_auth(username, password));
},
success: function () {
alert('Thanks for your signin in! ');
},
error: function (jqXHR, textStatus, errorThrown) {
console.log(textStatus, errorThrown);
alert(' Error in signIn-process!! ' + textStatus);
}
});
});
服务器
在“安全性”中,我尚未启用安全管理器,它已被禁用!
我已经为Glassfish配置了BASIC身份验证,我的web.xml看起来像这样:
<servlet-mapping>
<servlet-name>ServletAdaptor</servlet-name>
<url-pattern>/webresources/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>REST Protected resources</web-resource-name>
<description/>
<url-pattern>/users/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>customer</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>jdbcRealm</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
<security-role>
<description/>
<role-name>customer</role-name>
</security-role>
玻璃鱼
日志
FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = SesameService/SesameService
FINE: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/webresources/users/secured/login" "GET")
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: SesameService/SesameService
FINE: [Web-Security] hasResource isGranted: true
FINE: [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/webresources/users/secured/login" "GET")
问题:
-
如果我在用户注册时在客户端中加密(不编码)密码并在SSL / HTTPS下传输密码,这是否安全且实现此目的的好方法?
-
如果我在没有客户端的情况下使用 REST 服务,它始终是打开的,为什么?没有基本身份验证?我是否理解这些网址模式有问题?
http://localhost:8080/SesameService/webresources/users/secured/login
-
如果我得到这个工作如何测试,因为现在如果我验证一次,我总是被授权?是否可以在 REST 服务中以编程方式“注销”,或者通常如何实现注销?
-
当在带有强制性 base64 编码的用户名:密码的标头中使用授权时,我是否也必须将我的用户名和密码编码到 DB?我尝试了一下,并将编码(允许的值为Hex和Base64)添加到jdbcRealm到Glassfish,似乎密码就足够了,但是当两者都在客户端中编码时会发生什么?
更新:我更改了web.xml现在BASIC身份验证在浏览器中直接调用REST服务时工作:http://localhost:8080/SesameService/users/secured/login
变化:
- 我在玻璃鱼中启用了安全管理器
- 我更改了网址模式
<servlet-mapping>
<servlet-name>ServletAdaptor</servlet-name>
<url-pattern>/*</url-pattern>----> I took webresources off. It was generated by Netbeans
</servlet-mapping>
- 我将服务的网址更改为:
http://localhost:8080/SesameService/users/secured/login
现在,当我尝试从HTML5客户端进行身份验证时,我得到了一个HTTP / 1.1 401未经授权。
请求标头:
Origin: http://localhost:8383
Host:localhost:8080
Connection:keep-alive
Access-Control-Request-Method:GET
Access-Control-Request-Headers:authorization,content-type
响应:
x-powered-by:Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2.2 Java/Oracle Corporation/1.7)
WWW-Authenticate:Basic realm="jdbcRealm"
Server:GlassFish Server Open Source Edition 3.1.2.2
Pragma:No-cache
Expires:Thu, 01 Jan 1970 02:00:00 EET
Date:Sat, 13 Apr 2013 15:25:06 GMT
Content-Type:text/html
Content-Length:1073
Cache-Control:no-cache
更新 2
当我尝试使用JavaScript +授权标头进行身份验证时,我收到401错误,并在日志中:
FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = SesameService/SesameService
FINE: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/users/secured/login" "OPTIONS")
FINE: [Web-Security] hasUserDataPermission isGranted: true---->!!!!!!!!!!!!!
FINE: [Web-Security] Policy Context ID was: SesameService/SesameService
FINE: [Web-Security] Codesource with Web URL: file:/SesameService/SesameService
FINE: [Web-Security] Checking Web Permission with Principals : null------->!!!!!!!
FINE: [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/users/secured/login" "OPTIONS")
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (SesameService/SesameService)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/users/secured/login" "OPTIONS"))
FINE: [Web-Security] hasResource isGranted: false------->!!!!!!!!!
FINE: [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/users/secured/login" "OPTIONS")
FINEST: JACC Policy Provider: PolicyWrapper.getPermissions(cs), context (null) codesource ((null <no signer certificates>)) permissions: java.security.Permissions@5d4de3b0 (
更新 3我不能成为第一个也是唯一一个尝试在跨域情况下使用BASIC进行身份验证的人。我像这样更改了我的跨源过滤器:
response.getHttpHeaders().putSingle("Access-Control-Allow-Headers", "Authorization");
NO 401 错误不再存在,但在 JavaScript 中仍然存在错误。在玻璃鱼日志:
FINEST: JACC Policy Provider:
getPolicy (SesameService/SesameService) is NOT in service----->!!!!!!!!
FINE: JACC Policy Provider: file arrival check type: granted arrived: false exists: false lastModified: 0 storedTime: 1365968416000 state: deleted SesameService/SesameService
FINE: JACC Policy Provider: file arrival check type: excluded arrived: false exists: false lastModified: 0 storedTime: 0 state: deleted SesameService/SesameService
FINE: TM: getTransaction: tx=null, tm=null
FINE: TM: componentDestroyedorg.apache.catalina.servlets.DefaultServlet@227fe9a8
FINE: TM: resourceTable before: 0
FINE: TM: resourceTable after: 0
顺便说一句,因为我从未做过这项工作,所以这项工作与在自己的域中直接调用REST服务的方式相同。那么,首先打开客户端请求,服务器请求和用户名 - 密码窗口,然后客户端请求和服务器进行身份验证并响应页面?我正在尝试获取它:请求其中包含授权标头,来自服务器的响应以及来自其余服务的结果,仅此而已。任何想法如何保护REST服务?比这更容易?这是不可能的。
更新 4
我只是试图将我的HTML5客户端移动到java Web项目下,只是纯html页面和同一域下,BASIC身份验证100%工作。所以原因是因为跨域环境。