The revelation of the IBM SmartCloud Entry Web Services security mechanism

Environmental preparedness

A running IBM smartcloud Entry system

Eclipse 3.6 or later

The security mechanism of Web Service based on Restlet

Before you start

Before you start, make a basic interpretation of some of the nouns that will be used in this article.

Restlet: Born in 2005, is an open source project for Java language developers. Restlet is designed to provide developers with a way to implement REST WebService in a variety of scenarios in a simple way. The latest stable version of Restlet is 2.1.1, and everything in this article is based on Restlet 2.1.

Dojo:dojo is a powerful front-end framework that provides convenient Ajax methods, rich widgets, data structures, accessibility functions, effects, and layout help. Dojo is a more active open source project, as of today, the latest version of Dojo is 1.8.1. All implementations in this article will be based on the Dojo 1.8.1.

Jquery:jquery is an excellent lightweight JavaScript framework. can easily provide Ajax interaction, a variety of animation effects. jquery's application documentation is detailed, and there are a number of mature plug-ins to use. All implementations in this article will be based on jQuery1.9.1.

Sub-projects under the Httpclient:apache Jakarta Common can be used to provide efficient, up-to-date, feature-rich, HTTP-enabled client-side programming toolkits.

CURL: Developed by the Swiss CURL, is an integrated network transmission tool. For more information, please refer to the CURL website.

The WebService security mechanism based on Restlet

Restlet framework with a complete set of user authentication mechanism, IBM smartcloud Entry user authentication mechanism is based on Restlet implementation. The user authentication mechanism for the Restlet framework is shown in Figure 1.

Figure 1. The authentication mechanism of Restlet

As can be seen from the diagram, if the Client is not authenticated, there is no way to access the REST resources.

IBM SmartCloud Entry only supports the authentication method of HTTP Basic authentication before version 3.1. Starting from version 3.1, on the original basis, the new Token authentication certification, the user can according to their own needs to choose the appropriate certification methods. If the client has two certifications at the same time, IBM SmartCloud Entry will only be authenticated in accordance with HTTP Basic authentication. Next, you will briefly explain how to program through each client to pass both certifications.

HTTP Basic Authentication

Brief introduction

HTTP Basic authentication can be said to be the simplest form of HTTP authentication. It requires only a static, standard HTTP header to complete authentication. At the same time, it does not require a login page, you can pass the username and password directly through the URL, such as: Http://username:password@www.example.com/path. However, on the other hand, Basic authentication has almost no confidentiality, and user names and passwords are passed from the client to the server side only after BASE64 encoding.

The client wants to pass HTTP Basic authentication, first need to confirm the username and password is correct, and then the username and password through a ":" Connection, BASE64 encoding, the result of the encoding and "Basic" in the combination of a called " Authorization "in the HTTP header, you can pass authentication.

IBM SmartCloud Entry provides a REST api,post "//hostname:port/unsecured/cloud/api/auth" that can be used to verify that the user name and password provided are legitimate. The following example uses this REST API to verify the username and password.