IBM SmartCloud Entry web-based Service security mechanism based on Restlet

This article will briefly describe the two Web Service security mechanisms that IBM SmartCloud Entry brings together, and how they can be authenticated through these security mechanisms on a variety of client programs.

Environmental preparedness

a running IBM smartcloud Entry system Eclipse 3.6 or later

Before you start

Before you start, make a basic interpretation of some of the nouns that will be used in this article.

Restlet: Born in 2005, is an Open-source project for Java language developers. Restlet is designed to provide developers with a way to implement REST Web Service in various scenarios in a simple way. The latest stable version of Restlet is 2.1.1, and everything in this article is based on Restlet 2.1. Dojo:dojo is a powerful front-end framework that provides convenient Ajax methods, rich widgets, data structures, accessibility functions, effects, and layout help. Dojo is a more active open source project, as of today, the latest version of Dojo is 1.8.1. All implementations in this article will be based on the Dojo 1.8.1. Jquery:jquery is an excellent lightweight JavaScript framework. can easily provide Ajax interaction, a variety of animation effects. JQuery's application documentation is detailed, and there are a number of mature plug-ins to use. All implementations in this article will be based on jQuery1.9.1. Sub-projects under the Httpclient:apache Jakarta Common can be used to provide efficient, up-to-date, feature-rich, HTTP-enabled client-side programming toolkits. CURL: Developed by the Swiss CURL, is an integrated network transmission tool. For more information, please refer to the CURL website.

WebService security mechanism based on Restlet

Restlet framework with a complete set of user authentication mechanism, IBM smartcloud Entry user authentication mechanism is based on Restlet implementation. The user authentication mechanism for the Restlet framework is shown in Figure 1.

Figure 1. The authentication mechanism of Restlet

As can be seen from the diagram, if the Client is not authenticated, there is no way to access the REST resources.

IBM SmartCloud Entry only supports the authentication method of HTTP Basic authentication before version 3.1. Starting from version 3.1, on the original basis, the new Token authentication certification, users can according to their own needs to choose the appropriate certification methods. If the client has two certifications at the same time, IBM SmartCloud Entry will only be authenticated in accordance with HTTP Basic authentication. Next, you will briefly explain how to program through each client to pass both certifications.

HTTP Basic Authentication

HTTP Basic authentication can be said to be the simplest form of HTTP authentication. It requires only static, standard HTTP headers to complete authentication. At the same time, it does not require a login page, you can pass the username and password directly through the URL, such as: Http://username:password@www.example.com/path. However, on the other hand, Basic authentication has almost no confidentiality, and the username and password are passed from the client to the server side only after BASE64 encoding.

The client wants to pass HTTP Basic authentication, first need to confirm the username and password is correct, and then the username and password through a ":" Connection, BASE64 encoding, the result of the encoding and "Basic" in the combination of a called " Authorization "in the HTTP header, you can pass authentication.

IBM SmartCloud Entry provides a REST api,post "//hostname:port/unsecured/cloud/api/auth" that can be used to verify that the supplied username and password are legitimate. The following example uses this REST API to verify the username and password.

How to make a Dojo client pass authentication

Listing 1 shows how to program through the IBM SmartCloud Entry authentication in the Dojo client by using the HTTP Basic authentication method. After confirming the username and password, obtain the deployed workload to verify that the certificate has been passed.

Listing 1. The Dojo client passes HTTP Basic authentication

Dojo.require ("Dojox.encoding.digests._base");d Ojo.ready (function () {var base64encode, username = "Xhh", Password = " Password "; Dojo.xhrpost ({//) Verify that the username and password are valid by post//The absolute address here is Hostname:port/unsecured/cloud/api/auth URL: ". /.. /unsecured/cloud/api/auth ", content: {username:encodeuricomponent (username), password:encodeuricomponent (password )}, Sync:true,//Here for intuitive performance, set the AJAX request to synchronous//actual can be set to asynchronous mode Handle:function (response, Ioargs) {if (IoArgs.xhr.status = 200) {//BASE64 encoding Base64Encode = dojox.encoding.digests.wordToBase64 (Dojox.encoding.digests.stringToWord encodeURI ( username) + ":" +encodeuri (password));} else {console.error ("wrong username or password!");} }); if (Base64Encode) {//Verify that the Dojo.xhrget ({//) absolute address here is Hostname:port/cloud/api/workloads URL: ". /api/workloads ", Handleas:" JSON ", headers: {" Accept ":" Application/json, filetype, html "," Authorization ":" Basic "+ Base64Encode," content-type ":" filetype; Charset=utf-8 "}, Handle:function (respOnse, Ioargs) {if (IoArgs.xhr.status =) {Console.log (response);} else {console.error (response);}}}); }});

As long as the client remembers the value of the Base64Encode, the Authorization is passed through authentication at each HTTP request.