DropWizard 身份验证领域

在 DropWizard 中，我可以像这样设置基本身份验证(在 Application#run impl 中):

BasicAuthProviderauthProvider = new BasicAuthProvider(authenticator, "SECRET_REALM");environment.jersey().register(authProvider);

我想知道String realm ("SECRET_REALM") 的意义是什么?

根据一般的安全概念，我将领域"理解为存储用户和角色/权限的地方(数据库、目录、文件、密钥库等).

在 DropWizard 中域是什么意思，在 BasicAuthProvider 中指定它的意义是什么?它是否在这个领域创造了一些东西?

解决方案

从某种意义上说，领域是服务器中的一些受保护区域/空间.领域应该有一个名字.如果我们从 只是声明(关于 realm):

<块引用>

领域:
要显示给用户的字符串，以便他们知道哪个用户名和使用密码.此字符串应至少包含执行身份验证的主机，并且可能另外指示可能具有访问权限的用户的集合.一个例子可能是registered_users@gotham.news.com".

In DropWizard, I can set up basic auth like so (in the Application#run impl):

BasicAuthProvider<SimplePrincipal> authProvider = new BasicAuthProvider(authenticator, "SECRET_REALM");
environment.jersey().register(authProvider);

I am wondering what the significance of the String realm ("SECRET_REALM") is?

From general security concepts, I understand a "realm" to be a place (database, directory, file, keystore, etc.) where users and roles/permissions are stored.

What does a realm mean in DropWizard, and what's the significance of specifying it inside BasicAuthProvider? Does it create something with this realm under the hood?

解决方案

A realm is in a sense, some protected area/space in the server. The realm should have a name. If we run the example from this post, using cURL(which I recommend downloading, as it's useful in development), without any user credentials, we will see the following.

C:>curl -i  http://localhost:8080/simple
HTTP/1.1 401 Unauthorized
Date: Thu, 11 Dec 2014 18:55:02 GMT
WWW-Authenticate: Basic realm="Basic Example Realm"
Content-Type: text/plain
Transfer-Encoding: chunked

Credentials are required to access this resource.

This is how the Basic Auth Protocol works. When the server want the user agent to authenticate, to access a secured resource, it will send back a "401 Unauthorized", along with the header similar to

WWW-Authenticate: Basic realm="Basic Example Realm"

The name you provide to the BasicAuthProvider is the realm that will be provided in the header. You can see in the source code

if (required) {
    final String challenge = String.format(CHALLENGE_FORMAT, realm);
    throw new WebApplicationException(
                                    Response.status(Response.Status.UNAUTHORIZED)
                    .header(HttpHeaders.WWW_AUTHENTICATE, challenge)
                    .entity("Credentials are required to access this resource.")
                    .type(MediaType.TEXT_PLAIN_TYPE)
                    .build());

Now try to access the resource from the browser. You will see

You can also see the realm name there. The RFC 2617 just states (about the realm):

realm:
A string to be displayed to users so they know which username and password to use. This string should contain at least the name of the host performing the authentication and might additionally indicate the collection of users who might have access. An example might be "registered_users@gotham.news.com".