问题:
Problem: 问题:
We have a Spring MVC-based RESTful API which contains sensitive information. 我们有一个基于Spring MVC的RESTful API,它包含敏感信息。 The API should be secured, however sending the user's credentials (user/pass combo) with each request is not desirable. 应该保护API,但是不希望向每个请求发送用户的凭证(用户/通过组合)。 Per REST guidelines (and internal business requirements), the server must remain stateless. 根据REST准则(和内部业务要求),服务器必须保持无状态。 The API will be consumed by another server in a mashup-style approach. API将由mashup风格的方法由另一台服务器使用。
Requirements: 要求:
Client makes a request to
.../authenticate(unprotected URL) with credentials; 客户端使用凭证发出请求.../authenticate(不受保护的URL); server returns a secure token which contains enough information for the server to validate future requests and remain stateless. 服务器返回一个安全令牌,其中包含足够的信息,供服务器验证将来的请求并保持无状态。 This would likely consist of the same information as Spring Security's Remember-Me Token . 这可能包含与Spring Security的Remember-Me Token相同的信息。Client makes subsequent requests to various (protected) URLs, appending the previously obtained token as a query parameter (or, less desirably, an HTTP request header). 客户端对各种(受保护的)URL进行后续请求,将先前获得的令牌附加为查询参数(或者不太希望的是HTTP请求头)。
Client cannot be expected to store cookies. 不能指望客户存储cookie。
Since we use Spring already, the solution should make use of Spring Security. 由于我们已经使用Spring,因此该解决方案应该使用Spring Security。
We've been banging our heads against the wall trying to make this work, so hopefully someone out there has already solved this problem. 我们一直在试图让这项工作碰壁,所以希望那里的人已经解决了这个问题。
Given the above scenario, how might you solve this particular need? 鉴于上述情况,您如何解决这一特殊需求?
解决方案:
参考一: https://stackoom.com/question/jQPd参考二: RESTful Authentication via Spring