Question

I m 建造一个将设在服务器上的应用程序。我想为申请建立一个APIC,以便利与任何平台(Web App, Mobile App)的互动。我不理解的是,在使用教育、科学和技术促进计划时,我们如何认证用户。

例如,当用户gged陷并想要建立一个论坛专题时。我会怎样知道用户已经陷入困境?

Answer 1

您可使用《吉大港山区基本计划》或《奥特森特》。然而,你可以安全地认证使用SSL的用户,但这种认证使APIC放慢了一点。

Basic authentication - uses Base64 encoding on username and password
Digest authentication - hashes the username and password before sending them over the network.

OAuth is the best it can get. The advantages oAuth gives is a revokable or expirable token. Refer following on how to implement: Working Link from comments: https://www.ida.liu.se/~TDP024/labs/hmacarticle.pdf

Answer 2

例如用户有标识时。现在让我说,用户希望建立一个论坛专题,我知道用户已经陷入困境吗?

想到这一点——必须有一些手法告诉你的“论坛”二字,即目前这一请求来自认证用户。自2005年以来甲型六氯环己烷通常是无国籍的,国家必须坚持,有些地方<>。你的客户消费教育、科学和技术信息预报系统,负责维持这一状况。通常,自用户被拖入网点后,便会以一些象征性的形式通过。如果证明是好的,你的请求是好的。

检查亚马孙妇女协会如何认证。这完全是一个例子,表明从一个APIC到另一个版本的“绕过uck”。

* 我想对我先前的回答作出一些实际反应。 Try Pat Shiro(或任何认证/授权图书馆)。底线、尝试并避免习俗编码。如果你把你喜欢的图书馆(我使用阿帕奇·索乌一(b))合并起来,你可以做如下工作:

Create a Login/logout API like: /api/v1/login and api/v1/logout

In these Login and Logout APIs, perform the authentication with your user store

The outcome is a token (usually, JSESSIONID) that is sent back to the client (web, mobile, whatever)

From this point onwards, all subsequent calls made by your client will include this token

Let s say your next call is made to an API called /api/v1/findUser

The first thing this API code will do is to check for the token ("is this user authenticated?")

If the answer comes back as NO, then you throw a HTTP 401 Status back at the client. Let them handle it.

If the answer is YES, then proceed to return the requested User

Answer 3

Use HTTP Basic Auth to authenticate clients, but treat username/password only as temporary session token.

The session token is just a header attached to every HTTP request, eg: Authorization: Basic Ym9ic2Vzc2lvbjE6czNjcmV0

The string Ym9ic2Vzc2lvbjE6czNjcmV0 above is just the string "bobsession1:s3cret" (which is a username/password) encoded in Base64.
为获得上述临时会议,提供一种参考功能(例如:>http://mycompany.com/apiv1/login),该功能将主用户名和主密码作为投入,在服务器一侧形成一种临时性的吉大港群岛基本用户名/密码,并回归(例如:Ym9ic2Vzc2lvbjE6czNjcmV0)。该用户名/密码应当是临时性的,应于20分钟后到期。
For added security ensure your REST service are served over HTTPS so that information are not transferred plaintext

如果你在贾瓦回,春天安全图书馆提供良好支持,以实施上述方法。

Answer 4

我认为最佳办法是使用奥阿瑟特2。谷歌会和你将找到许多有益的职位,帮助你设立这一职位。

更便于从网站或移动式网站开发用户申请。

希望能帮助你们。

Answer 5

这里采取的指导做法。

您的认证服务颁发了“JWT”号,该书使用一个秘密签署,也可在您的APIC服务上查阅。他们之所以需要,也是因为你需要核实收到的标语,以确保你制造这些标语。 JWTs的一点是,如果不同用户的出入控制水平不同,其有效载荷可以就用户的授权进入<>。

这种结构使认证成为无国籍人: 没有必要在数据库中储存任何标语,除非你愿意处理象征性的黑名单(即禁止用户)。无国籍问题对于你需要扩大规模至关重要。这还免除了您的APIC服务,使其不必把认证服务器称作认证服务器,因为认证和授权所需要的信息都放在标语中。

流动(无遗症):

User authenticates with the authentication server (eg: POST /auth/login) and receives a JWT token generated and signed by the auth server.

User uses that token to talk to your API and assuming user is authorised), gets and posts the necessary resources.

这里有几个问题。也就是说,在错误的手上打脚,可以无限制地接触恶意使用者,以预示他们是受影响的用户,并无限期地打电话给您的APIC。为了处理这种情况,标注日期已经到期,客户在到期时不得不要求新的标注。这一过期是象征性的有效载荷的一部分。但是,如果标的寿命短,我们是否要求用户随时随用户名和密码进行认证? 页: 1 我们不想每30至1小时向用户索取密码,我们不想在客户任何地方坚持这些密码。为了解决这一问题,我们引入了refresh tokens的概念。他们更长的活着,可以达到一个目的:作为用户密码,认证他们获得新的象征性。下面是,随着这一结构的形成,验证服务器需要在一个数据库中坚持这些复读。

新流动(有复数):

User authenticates with the authentication server (eg: POST /auth/login) and receives a JWT token generated and signed by the auth server, alongside a long lived (eg: 6 months) refresh token that they store securely

Whenever the user needs to make an API request, the token s expiry is checked. Assuming it has not yet expired, user uses that token to talk to your API and assuming user is authorised), gets and posts the necessary resources.

If the token has indeed expired, there is a need to refresh your token, user calls authentication server (EG: POST / auth/token) and passes the securely stored refresh token. Response is a new access token issued.

Use that new token to talk to your API image servers.

<>strong>(禁止用户)

我们如何禁止用户? 采用这一模式并不容易。加强: 每一次复读都包含一个黑名单>的田地,如果重新出现黑色标号,则只发放新标语。

www.un.org/Depts/DGACM/index_spanish.htm 审议情况:

You may want to rotate refresh token. To do so, blacklist the refresh token each time your user needs a new access token. That way refresh tokens can only be used once. Downside you will end up with a lot more refresh tokens but that can easily be solved with a job that clears blacklisted refresh tokens (eg: once a day)
You may want to consider setting a maximum number of allowed refresh tokens issued per user (say 10 or 20) as you issue a new one every time they login (with username and password). This number depends on your flow, how many clients a user may use (web, mobile, etc) and other factors.
Logout endpoint in your authentication service may or may not blacklist refresh tokens. Something to think about.

Answer 6

我先是利用JWT认证。在我的申请中,工程只是罚款。

有一种认证方法需要用户证书。这种方法验证了证书,并在成功时获得象征性的证明。

在我的网播中,必须把这一信号发给请求的负责人的所有其他方法。

它非常容易执行,非常容易测试。

友情链接