作者:laerla君君 | 来源:互联网 | 2023-05-23 18:57
我有一个spring rest api,它通过数据库使用base64身份验证进行保护.是否有可能再采取另一个休息api并以某种方式通过第一个api进行身份验证?
1> Alex..:
您是否考虑过使用基于OAuth的身份验证和API密钥管理保护API.从安全角度来看,HTTP基本身份验证并不是理想的,用户名和密码对API有另一组安全问题
无论哪种方式,您可以考虑使用Stormpath使您真正轻松.看一下本指南,它支持HTTP basic和OAuth.
这个示例代码将让您了解这是多么容易.
假设你想要公开一个被调用的操作startEngines()
,你想要保护它.在此示例中,您还需要公开新操作以获取访问令牌String getAccessToken(ApiKey)
.
您的用户将运行以下内容:
@Test
public void executeSomeOauth2AuthenticatedOperation() {
String userApiKeyPath = System.getProperty("user.home") + "/.stormpath/apiKey_4Yrc0TJ5sBFldwtu6nfzf5.properties";
ApiKey userApiKey = ApiKeys.builder().setFileLocation(userApiKeyPath).build();
//Developer requests access token
String accessToken = getAccessToken(userApiKey);
//Developer executes an authenticated operation (e.g startEngines()) with the provided accessToken
if (startEngines(accessToken)) {
System.out.print("Client-side message: Execution allowed");
} else {
System.out.print("Client-side message: Execution denied");
}
}
您的代码将如下所示:
String path = System.getProperty("user.home") + "/.stormpath/apiKey.properties";
String applicatiOnUrl= "https://api.stormpath.com/v1/applications/2TqboZ1qo73eDM4gTo2H94";
Client client = Clients.builder().setApiKey(ApiKeys.builder().setFileLocation(path).build()).build();
Application application = client.getResource(applicationUrl, Application.class);
public String getAccessToken(ApiKey apiKey) {
HttpRequest request = createOauthAuthenticationRequest(apiKey);
AccessTokenResult accessTokenResult = (AccessTokenResult) application.authenticateApiRequest(request);
System.out.println(accessTokenResult.getScope());
return accessTokenResult.getTokenResponse().getAccessToken();
}
public boolean startEngines(String accessToken) {
HttpRequest request = createRequestForOauth2AuthenticatedOperation(accessToken);
try {
OauthAuthenticationResult result = application.authenticateOauthRequest(request).execute();
System.out.println(result.getAccount().getEmail() + " is about to start the engines!");
doStartEngines(); //Here you will actually call your internal doStartEngines() operation
return true;
} catch (AccessTokenOauthException e) {
//This accessToken is not allowed to start the engines
System.out.print("AccessToken: " + accessToken + " just tried to start the engines. He is not allowed to do so.");
return false;
}
}
private HttpRequest createOauthAuthenticationRequest(ApiKey apiKey) {
try {
String credentials = apiKey.getId() + ":" + apiKey.getSecret();
Map headers = new LinkedHashMap();
headers.put("Accept", new String[]{"application/json"});
headers.put("Content-Type", new String[]{"application/x-www-form-urlencoded"});
headers.put("Authorization", new String[]{"Basic " + Base64.encodeBase64String(credentials.getBytes("UTF-8"))});
Map parameters = new LinkedHashMap();
parameters.put("grant_type", new String[]{"client_credentials"});
HttpRequest request = HttpRequests.method(HttpMethod.POST)
.headers(headers)
.parameters(parameters)
.build();
return request;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
private HttpRequest createRequestForOauth2AuthenticatedOperation(String token) {
try {
Map headers = new LinkedHashMap();
headers.put("Accept", new String[]{"application/json"});
headers.put("Authorization", new String[]{"Bearer " + token});
HttpRequest request = HttpRequests.method(HttpMethod.GET)
.headers(headers)
.build();
return request;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
private void doStartEngines() {
System.out.println("Server-side message: Engines started!!!");
}
为了简单起见,我使所有这些代码在同一台机器上运行(客户端和服务器端代码之间没有网络通信).实际上,您需要使用Spring 公开startEngines()
并String getAccessToken(ApiKey)
通过Rest API,让最终用户通过网络访问它们.
尝试一下,它应该是一个非常简单快速的解决方案.:)
完全披露 - 我在Stormpath工作