Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
848 views
in Technique[技术] by (71.8m points)

security - Session management : How to generate Authentication token for REST service ? (Jersey)

I am trying to implement session management in my REST service. I came to know these guidelines while surfing :

  1. Not using server side sessions - it violates the RESTful principle.

  2. Using HTTP Basic authentication - Not possible right now, as I am asked not to use SSL/TLS (which is no doubt needed for Basic auth.)

  3. Using Http digest - I heard this increases network traffic. This sounds costly, especially when my client is a mobile device.

  4. Using cookies - I am told I should never rely on cookie for securing my important resources, they can be spoofed easily. Plus, I read about cross-site scripting attacks through cookies.

  5. I am left with an option of generating authentication token ,which the user has to send everytime - which I admit is not "entirely" RESTful.

Now I need to know, how should I generate these unique authentication tokens, which are secure enough at a business level ? Is there some library for Jersey ? Should I go for OAuth..I have just read a little about them, are they useful in my case ? Please keep in mind that my target clients are mobile devices - can they access an OAuth service ??

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

For simplicity sake, I generate my own authentication token using UUID before encrypting the entire token with Jasypt:-

String key = UUID.randomUUID().toString().toUpperCase() +
        "|" + someImportantProjectToken +
        "|" + userName +
        "|" + creationDateTime;

StandardPBEStringEncryptor jasypt = new StandardPBEStringEncryptor();

...

// this is the authentication token user will send in order to use the web service
String authenticationToken = jasypt.encrypt(key);

The key contains the creationDateTime so that I can use it to verify the time-to-live. This way, if the user uses the same authentication token after X minutes, it will not work anymore, and I'll send back a 403 forbidden code.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...