我在这里阅读了如何保护 REST 服务的非常好的答案,但所有这些都只是纯粹的理论,并没有太大帮助。使用 REST 时如何实现 JDBCRealm-FORM 身份验证?
登录表单
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login Form</title>
</head>
<body>
<form method="post" action="j_security_check">
<p>You need to log in to access protected information.</p>
<table>
<tr>
<td>User name:</td>
<td><input type="text" name="j_username" /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="j_password" /></td>
</tr>
</table>
<p><input type="submit" value="Login" /></p>
</form>
</body>
</html>
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>How to protect REST</web-resource-name>
<url-pattern>/protected/*</url-pattern>----> What is that in case of rest?
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>customer</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbcRealm</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
<security-role>
<description/>
<role-name>customer</role-name>
</security-role>
问题:
1) 我在 Glassfish 中创建了 JDBCRealm,它正在工作。我用另一个 jsf-app 测试了它。在 clien-REST-service 的情况下,例如:<url-pattern>/protected/*</url-pattern>
在正常情况下,它指的是受保护的 jsp/jsf/xhtml 等页面所在的“文件夹”,但现在在哪里?
2)会话呢?我认为在无状态上下文中使用会话是不可能的
3) 甚至可以在 REST 中使用基于 FORM 的身份验证吗?
4)任何比我聪明的人解释如何保护客户端 - 服务器休息应用程序的教程链接。