通过REST风格的呼叫声此登录逻辑？

本文介绍了通过REST风格的呼叫声此登录逻辑？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

（我不是在谈论认证到的RESTful API调用。我说的是通过基于REST的API创建的用户登录逻辑。）

当用户访问我的网站，一个的任何页面Servlet过滤器将拦截请求，并检查是否有必要认证信息存在于会议。如果不存在，用户将被引导到登录页面。

在登录页面，Ajax调用是对用户名和密码的服务器一个RESTful API进行。取决于REST的API，返回状态，页面上的的JavaScript将决定是否让用户进入该网站。需要注意的是在服务器端的实际验证逻辑依然进行。客户端JS只作用的基础上，从服务器来的结果。

在服务器上，基于REST的API登录会检查提交的用户名/密码，看看它是否包含在数据库中。如果存在，它将存储必要认证信息到会议从同一个客户端，以便将来的请求不会被阻止。

我的问题是：

这是登录逻辑的声音？

由于会议参与，REST风格的登录API是一种不无状态。因此，它仍然REST风格的？

下面是我的code：

  // login.js
$（函数（）{
    $（'＃submitDiv'）点击（doLogin）;
}）;功能doLogin（）{
    $（'＃resultDiv）文本（开始！）。
    用户=新的对象（）;
    user.username = $（'＃txtUsername）VAL（）。
    user.pwd = $（'＃txtPassword）VAL（）。    $阿贾克斯（{
        标题：{
            接受：应用/ JSON，
            内容类型：应用/ JSON
        }，
        类型：POST，
        URL：doLogin.sm'，
        数据：JSON.stringify（用户）
        的dataType'：'文字'，
        '成功'：loginSuccessful，
        完整的：功能（jqXHR，textStatus）{
            $（'＃resultDiv）文本（完成：+ textStatus）。
        }
    }）;
}功能loginSuccessful（）{
    //如果引用为null，则跳转到仪表板，否则跳转到引用。
    VAR引荐= getUrlVars（）['引荐'];
    如果（引荐）{
        window.location.replace（引荐）;
    }
    其他{
        window.location.replace（'dashboard.html'）;
    }
}

 ＆LT;！DOCTYPE HTML＆GT;
＆LT; HTML LANG =ENGT＆;
＆LT; HEAD＆GT;
    ＆LT;标题＆gt;我云 - 登录网页＆LT; /标题＆GT;
    ＆LT;链接rel =stylesheet属性类型=文/ CSS
          HREF =resources2 / CSS / bootstrap.css＆GT;
    ＆LT;间的charset =UTF-8＆GT;
    ＆LT;！ - 武力使用最新的IE引擎 - ＆GT;
    ＆LT; META HTTP-EQUIV =X-UA-Compatible的内容=IE =边缘＆GT;
    ＆LT; META NAME =视口CONTENT =WIDTH =设备宽度，初始规模= 1＆GT;
    ＆LT;脚本SRC =resources2 / JS / jQuery的-1.11.3.js＆GT;＆LT; / SCRIPT＆GT;
    ＆LT;脚本SRC =resources2 / JS / bootstrap.js＆GT;＆LT; / SCRIPT＆GT;
    ＆LT;脚本SRC =resources2 / JS / pagejs / common.js＆GT;＆LT; / SCRIPT＆GT;
    ＆LT;脚本SRC =resources2 / JS / pagejs / login.js＆GT;＆LT; / SCRIPT＆GT;
＆LT; /头＆GT;
＆LT;身体GT;
    ＆LT; H1＆gt;我的登录页面和LT; / H1＆GT;
    ＆LT; DIV ID =loginDiv＆GT;
        ＆LT;输入ID =txtUsername类型=文本VALUE =测试＆GT;
        ＆LT;输入ID =txtPasswordTYPE =密码值=测试＆GT;
        ＆LT; DIV ID =submitDiv级=BTN BTN-默认＆GT;
            登录
        ＆LT; / DIV＆GT;
        ＆LT; DIV ID =resultDiv＆GT;＆LT; / DIV＆GT;
    ＆LT; / DIV＆GT;
＆LT; /身体GT;
＆LT; / HTML＆GT;

解决方案

客户端（而不是服务器）上的会话状态

这就是罗伊·托马斯菲尔丁的其余教父的，在他的有关：

So, if you are keeping the session state on the server, it's not REST.

In REST you won't have a session on the server and, consequently, you won't have a session identifier.

Each request must contain all data to be processed

Each request from client to server must contain all of the necessary information to be understood by the server. With it, you are not depending on any session context stored on the server.

When accessing protected resources that require authentication, for example, each request must contain all necessary data to be properly authenticated/authorized. It means the authentication will be performed for each request.

And authentication data should belong to the standard HTTP Authorization header. From the RFC 7235:

Basic authentication

The Basic Authentication Scheme, defined in the RFC 7617, is a good start for securing a REST API:

Remember the HTTPS is your best friend to prevent the man-in-the-middle attack.

Tokens

If you don't want sending the username and the password over the wire for every request, you can consider creating a token based authentication. In this approach, you exchange your hard credentials (username and password) for a token which is sent in each request.

Again, the authentication must be performed for every request.

Basically, the token can be opaque (which reveals no details other than the value itself, like a random string) or can be self-contained (like JSON Web Token).

Random String: A token can be issued by generating a random string and persisting it to a database with an expiration date and with a user identifier associated to it.
JSON Web Token (JWT): Defined by the RFC 7519, it's a standard method for representing claims securely between two parties. JWT is a self-contained token and enables you to store a user identifier, an expiration date and whatever you want (but don't store passwords) in a payload, which is a JSON encoded as Base64. The payload can be read by the client and the integrity of the token can be easily checked by verifying its signature on the server. You won't need to persist JWT tokens if you don't need to track them. Althought, by persisting the tokens, you will have the possibility of invalidating and revoking the access of them. To find some great resources to work with JWT, have a look at http://jwt.io.

There are many databases where you can persist your tokens. Depending on your requirements, you can explore different solutions such as relational databases, key-value stores or document stores.

这篇关于通过REST风格的呼叫声此登录逻辑？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！