REST 层安全性和集成
我有一个基于小部件的前端与 REST 层通信。要使用前端,人们需要使用用户名和密码登录。进入后,用户可以与小部件交互,这些小部件会调用 REST 层。此时,REST层还没有进行授权。如果您登录成功,您就可以做任何您想做的事情。
但是,我想确保只有已登录的用户才能访问 REST 层。如果您尝试使用浏览器或其他客户端访问它,您应该会收到 404。
我们已经设法使用 OpenSSO 做到这一点,但它很复杂。随着向 OpenAM 的转型,其未来也充满疑问。此外,还需要与其他 REST 层集成,其中我构建的 REST 层的 Java 代码将充当其他受任何东西保护的服务的客户端。
因此,我在保护我的东西以及与其他东西的安全可插拔性方面存在问题。
我一直在阅读 OAuth、CAS、OpenID 和 JOSSO 等内容,发现自己对它们都解决了哪些问题感到困惑。我认为我的问题相当基本,但我不知所措。任何见解都值得赞赏。
谢谢。
I have an widget-based front end talking to a REST layer. To use the front-end, a human needs to log in with a username and password. Once in, the user can interact with the widgets, which make calls to the REST layer. At this point, no authorization is done at the REST layer. If you have logged in successfully, you can do whatever you want.
However, I want to ensure that only users who have logged in can hit the REST layer. If you try to hit it with a browser or other client, you should get a 404.
We have managed to do this with OpenSSO, but it is complex. And its future is in doubt with its transformation to OpenAM. Also, there will be the need to integrate with other REST layers where Java code at the REST layer I have built will act as a client to other services secured by conceivably anything.
Thus, I have an issue with securing my stuff and security pluggability with other stuff.
I have been reading up on OAuth and CAS and OpenID and JOSSO and on and on and find myself confused as to which problems they all solve. I thought my problem was fairly basic, but I am at a loss. Any insight is appreciated.
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这取决于您的 REST 层使用什么框架。
例如,在restlet.org框架中,您可以扩展org.restlet.security.SecretVerifier
并实现基于会话、cookie 等的身份验证方案。
That's depends what framework your are using for your REST layer.
For example, in restlet.org framework you can extend org.restlet.security.SecretVerifier
and implement your authentication scheme based on session, cookies etc.