問題:
Problem: 問題:
We have a Spring MVC-based RESTful API which contains sensitive information. 我們有一個基於Spring MVC的RESTful API,它包含敏感信息。 The API should be secured, however sending the user's credentials (user/pass combo) with each request is not desirable. 應該保護API,但是不希望向每個請求發送用戶的憑證(用戶/通過組合)。 Per REST guidelines (and internal business requirements), the server must remain stateless. 根據REST準則(和內部業務要求),服務器必須保持無狀態。 The API will be consumed by another server in a mashup-style approach. API將由mashup風格的方法由另一臺服務器使用。
Requirements: 要求:
Client makes a request to
.../authenticate(unprotected URL) with credentials; 客戶端使用憑證發出請求.../authenticate(不受保護的URL); server returns a secure token which contains enough information for the server to validate future requests and remain stateless. 服務器返回一個安全令牌,其中包含足夠的信息,供服務器驗證將來的請求並保持無狀態。 This would likely consist of the same information as Spring Security's Remember-Me Token . 這可能包含與Spring Security的Remember-Me Token相同的信息。Client makes subsequent requests to various (protected) URLs, appending the previously obtained token as a query parameter (or, less desirably, an HTTP request header). 客戶端對各種(受保護的)URL進行後續請求,將先前獲得的令牌附加爲查詢參數(或者不太希望的是HTTP請求頭)。
Client cannot be expected to store cookies. 不能指望客戶存儲cookie。
Since we use Spring already, the solution should make use of Spring Security. 由於我們已經使用Spring,因此該解決方案應該使用Spring Security。
We've been banging our heads against the wall trying to make this work, so hopefully someone out there has already solved this problem. 我們一直在試圖讓這項工作碰壁,所以希望那裏的人已經解決了這個問題。
Given the above scenario, how might you solve this particular need? 鑑於上述情況,您如何解決這一特殊需求?
解決方案:
參考一: https://stackoom.com/question/jQPd參考二: RESTful Authentication via Spring