我对REST安全性相当陌生,正在尝试构建一个与RESTful Web服务集成的AngularJS(Angular 1)应用程序作为其后端。 这个Web服务将是应用程序(前端)如何获取和写入所有数据。
该应用程序最初将成为REST服务的唯一客户端,但最终我希望将该服务作为公开的公开API来打开,不仅仅是我的Angular应用程序使用/使用的服务。
我试图弄清楚如何为我的REST服务构建身份验证/授权解决方案,还有一些我不清楚的事情。 我希望Angular应用程序及其支持REST服务拥有自己的身份验证/授权模型(我认为 - 我可以谈论这一点)。
Angular应用程序是否带有自己的“服务用户”和凭证以便与REST服务集成? 像myapp-client用户名和密码一样吗? 要么 Angular应用程序是否将用户的凭据“转发”到REST服务上?在第一种情况下,就像我说的那样,Angular应用程序可能带有硬编码的凭证,用于集成并连接到REST服务(再次作为示例:用户名:myapp-client,密码:12345)。 我认为这是最简单的,但(很可能)在浏览器/前端代码中暴露这些硬编码凭据,然后任何脚本小子都有用户名和密码来访问我的整个REST API。
在后一种情况下,我认为Angular应用程序必须充当某种中间人,其中用户:
是匿名的并被路由到登录屏幕 输入他们自己的凭据(用户名:smeeb,密码:23456) 验证(以某种方式与应用程序以及后端) 获得某种承载/ JWT /等等。 令牌,然后对Angular应用程序的所有后续HTTP请求都使用此有效令牌(但是,该应用程序只是作为 - 以某种方式 - 作为存储令牌的浏览器与REST服务之间的中间人)我想我正在寻找证实,我对前解决方案(应用程序用于与后端集成的1个服务用户)在浏览器中公开证书的怀疑,以及后者的解决方案是要走的路。 同时寻求确认JWT是实施后一种解决方案还是需要使用OAuthv2或其他方法。
I'm pretty new to REST security and am trying to build an AngularJS (Angular 1) app that integrates against a RESTful web service as its backend. This web service will be how the app (frontend) fetches and writes all data.
The app will initially be the REST service's only client, but eventually I'd like to open the service up as an exposed public API, not only used/consumed by my Angular app.
I'm trying to figure out how to build an authentication/authorization solution for my REST service and there's a few things I'm unclear of. I want both the Angular app and its backing REST service to have their own authentication/authorization models (I think -- I can be talked out of this).
Does the Angular app ship with its own "service user" and credentials for integrating with the REST service? Something like username of myapp-client with its own password?; or Does the Angular app "forward" user's credentials onto the REST service?In the first case, like I said the Angular app might ship with credentials hardcoded into it for integrating with and connecting to the REST service (again as an example: username: myapp-client, password: 12345). I think this is simplest but then (very likely) exposes these hardcoded credentials in the browser/frontend code and then any script kiddie under the sun has the username + password to access my entire REST API.
In the latter case, I think the Angular app has to act as some kind of middleman where the user:
Is anonymous and gets routed to the login screen Enters their own credentials (username: smeeb, password: 23456) Authenticates (somehow both with the app as well as the backend) Obtains some kind of bearer/JWT/etc. token and then all subsequent HTTP requests to the Angular app use this valid token (but again the app is just acting -- somehow -- as the middleman between the browser where the token is stored and the REST service)I guess I'm looking for confirmation that my suspicions about the former solution (1 service user that the app uses to integrate with the backend) exposing credentials in the browser and that the latter solution is the way to go. Also looking for confirmation as to whether JWT is a way to implement the latter solution or if I need to go with OAuthv2 or something else.
最满意答案
当您需要通过REST API对Angular应用程序进行身份验证时,步骤如下。
用户输入Angular应用程序的用户名/密码 Angular App将这些数据发送到REST API 如果凭据正确,则REST API会将JWT返回给Angular应用程序。 对于需要身份验证的REST API的每个后续请求,Angular应用程序都会向JWT传递请求。When you need to authenticate an Angular app over a REST API, the steps are as follows.
User enters the username/password to the Angular app Angular App sends those data to the REST API If the credentials are correct, REST API returns a JWT to the Angular app. For each subsequent request to the REST API which requires authentication, Angular app passes the JWT with the request.更多推荐
发布评论