0

I have an widget-based front end talking to a REST layer. To use the front-end, a human needs to log in with a username and password. Once in, the user can interact with the widgets, which make calls to the REST layer. At this point, no authorization is done at the REST layer. If you have logged in successfully, you can do whatever you want.

However, I want to ensure that only users who have logged in can hit the REST layer. If you try to hit it with a browser or other client, you should get a 404.

We have managed to do this with OpenSSO, but it is complex. And its future is in doubt with its transformation to OpenAM. Also, there will be the need to integrate with other REST layers where Java code at the REST layer I have built will act as a client to other services secured by conceivably anything.

Thus, I have an issue with securing my stuff and security pluggability with other stuff.

I have been reading up on OAuth and CAS and OpenID and JOSSO and on and on and find myself confused as to which problems they all solve. I thought my problem was fairly basic, but I am at a loss. Any insight is appreciated.

Thanks.

4

1 回答 1

0

这取决于您为 REST 层使用的框架。

例如,在 restlet.org 框架中,您可以扩展 org.restlet.security.SecretVerifier 并实现基于会话、cookie 等的身份验证方案。

于 2011-02-04T20:16:56.020 回答