Authentication tokens on REST

 

I have a REST Jersey web service.

My question is about the answer of this question, please check;

token based authentication in php

In that answer its mentioned that;

"It then sends a hash of this token and certain characteristics of the request to authenticate the request, eg sha1(Token + Timestamp + Request URL + Request Body). Your server can validate this without the client having to send the token in plain text on each request."

Can anyone explain how can the server validate "without the client having to send the token in plain text on each request" ? Client should to send token each time to server?

Another question is, once the server receives a hash of this token(which includes timestamp and userid..etc) How will server identify the user from this token without having a look table or DB where tokens are stored?

For the first question: the client can send a hashed version of the token and the server compares hashed value with the value received from the client.

For the second question: you can keep a mapping between token and user in memory or on disk or wherever you think appropriate.

This is an oversimplified example of an approach which employs encryption/decryption of a portion of the authorization token using a secretkey which exists only on the server side. The AUTHORIZATION_TOKEN can be sent to the client which would be transmitted in any subsequent request.

1) To log in, user sends userid, password, sessionid, timestamp
2) On successful validation server produces TOKEN = encrypt(secretkey, userid + sessionid + time_stamp).
3) Server sends AUTHORIZED_TOKEN = TOKEN + userid + sessionid + timestamp to client
4) Client sends this token with each and every request throughout the session
5) Server decrypts TOKEN portion of AUTHORIZED_TOKEN then unpacks and compares the decrypted userid, sessionid, timestamp from TOKEN and compares it to it's plain text counterpart in AUTHORIZED_TOKEN.
6) If there is any inequality, the server redirects to the login page.
7) No important info sent in plain text.
8) Secretkey only exists on server side
9) No user mapping to disk or memory necessary as token contains userid

链接地址: http://www.djcxy.com/p/22040.html

上一篇: 领先的Java HTML解析器有什么优点和缺点?

下一篇: REST上的身份验证令牌