One: common HTTP authentication protocol
REST Representational State Transfer, an HTTP-based web service design style, a RESTFUL API is stateless, which means that authentication requests should not rely on cookies or sessions.
Common HTTP authentication methods are:
HTTP BASIC
Put the user information into the header in base64 encoding, and the backend directly extracts the Authorization from the header, and then performs base decoding. In the case of not using the HTTPS protocol, the security is very low.
HTTP DIGEST
The client sends a request first, the server fails to authenticate and returns 401 and attaches a unique nonce code, the client receives the 401 information, and generates a summary (usually MD5) information with the nonce code, user information, and request parameters, which is attached to the client Summary information, send the request again.
The security is higher than HTTP BASIC, because the uniqueness of nonce encoding can prevent replay attacks. But the client needs to send two requests, and each web server and client environment support HTTP DIGEST in different ways and to what extent.
OAUTH2
Focus more on authorization operations, not authentication. More use and third-party authorization, such as logging into Jianshu through QQ user information, you can use the OAUTH2 protocol. The commonly used authentication frameworks spring security and shiro support the integration of this protocol.
Two: API ID+HMAC authentication method
1. appId: is a unique identifier used to determine the client.
2. HMAC: Hash-based MessageAuthentication Code.
3. appKey: Secret key, used for HMAC algorithm to generate digital digest, the secret key is generated by the server, one appId corresponds to one secret key.
4. The client holds the API ID and APP KEY.
5. Before each request, sort the names of the request parameters according to the natural order, and then take out the values of these parameters in turn to perform the connection string operation to generate the baseString, and connect the appId and timestamp (the current timestamp precision is milliseconds) to the back of the baseString . Generate an array digest digest using the HMAC digest algorithm and the secret key APP KEY.
6: The client sends the request with the three parameters apiId, timestamp, and digest, such as the GET request: parameter1=p1¶meter2=p2&apiId=API KEY&digest=digest×tamp=timestamp. If you want the parameters to be invisible you can use AES for encrypted transmission.
7: Server-side verification, first requires that the three parameters of apiId, digest, and timestamp cannot be empty, and then use the same steps as the client to generate the digest to generate the server-side digest, compare it with the digest passed in by the client, and use it from the database. Check whether the abstract has been used, compare the two abstracts for signature verification, and store the abstract in the used abstract table after the signature verification is successful.
3. Summary
The characteristics of this authentication processing method:
1. Do not pass user passwords on the network.
2. The request parameters are encrypted and transmitted to prevent the leakage of sensitive information.
3. Adopt HMAC digest to prevent tampering.
4. A timestamp is added to the digest, and each digest is only allowed to be used once to prevent replay attacks.
jsets-shiro-spring-boot-starter encapsulates HMAC authentication, see:
Project documentation, source code
Commonly used functions in the project, such as verification code, password error limit, account unique user login, dynamic URL filtering rules, stateless authentication, etc. jsets-shiro-spring-boot-starter encapsulates these commonly used functions And automatic import, a small amount of configuration can be applied to the project.
1. For details of the jsets-shiro-spring-boot-starter project, please refer to: jsets-shiro-spring-boot-starter
2. Please refer to the source code of the application example: jsets-shiro-demo
3. For the usage instructions of jsets-shiro-spring-boot-starter, please refer to: Instructions for Use