Basic authentication
HTTP 基本认证是用于对 Web 资源强制实施访问控制最省资源的技术之一。您可以使用 HTTP 基本认证保护您的 Quarkus 应用程序端点。Quarkus 包含用于基本认证的内置认证机制。
HTTP Basic authentication is one of the least resource-demanding techniques that enforce access controls to web resources. You can secure your Quarkus application endpoints by using HTTP Basic authentication. Quarkus includes a built-in authentication mechanism for Basic authentication.
基本认证使用 HTTP 标头中的字段,而不依赖于 HTTP cookie、会话标识符或登录页面。
Basic authentication uses fields in the HTTP header and does not rely on HTTP cookies, session identifiers, or login pages.
Authorization header
HTTP 用户代理(如 Web 浏览器)使用 Authorization`标头在每个 HTTP 请求中提供用户名和密码。标头指定为 `Authorization: Basic <credentials>,其中的凭证是用户 ID 和密码的 Base64 编码,由冒号连接。
An HTTP user agent, like a web browser, uses an Authorization header to provide a username and password in each HTTP request.
The header is specified as Authorization: Basic <credentials>, where credentials are the Base64 encoding of the user ID and password, joined by a colon.
如果用户名为 Alice`且密码为 `secret,则 HTTP 授权标头将为 Authorization: Basic QWxjZTpzZWNyZXQ=,其中 `QWxjZTpzZWNyZXQ=`是 `Alice:secret`字符串的 Base64 编码表示形式。
If the user name is Alice and the password is secret, the HTTP authorization header would be Authorization: Basic QWxjZTpzZWNyZXQ=, where QWxjZTpzZWNyZXQ= is a Base64 encoded representation of the Alice:secret string.
基本认证机制不为传输的凭证提供机密性保护。传输过程中凭证仅通过 Base64 编码,而不以任何方式加密或哈希化。因此,为了提供机密性,请将基本认证与 HTTPS 结合使用。
The Basic authentication mechanism does not provide confidentiality protection for the transmitted credentials. The credentials are merely encoded with Base64 when in transit, and not encrypted or hashed in any way. Therefore, to provide confidentiality, use Basic authentication with HTTPS.
基本认证是一个明确、简单的质询和响应方案,所有 Web 浏览器和大多数 Web 服务器都能理解。
Basic authentication is a well-specified, simple challenge and response scheme that all web browsers and most web servers understand.
Limitations with using Basic authentication
下表概述了使用 HTTP 基本认证保护您的 Quarkus 应用程序时的一些限制:
The following table outlines some limitations of using HTTP Basic authentication to secure your Quarkus applications:
| Limitation | Description |
|---|---|
Credentials are sent as plain text |
Use HTTPS with Basic authentication to avoid exposing the credentials. The risk of exposing credentials as plain text increases if a load balancer terminates HTTPS because the request is forwarded to Quarkus over HTTP. Furthermore, in multi-hop deployments, the credentials can be exposed if HTTPS is used between the client and the first Quarkus endpoint only, and the credentials are propagated to the next Quarkus endpoint over HTTP. |
Credentials are sent with each request |
In Basic authentication, a username and password must be sent with each request, increasing the risk of exposing credentials. |
Application complexity increases |
The Quarkus application must validate that usernames, passwords, and roles are managed securely. This process, however, can introduce significant complexity to the application. Depending on the use case, other authentication mechanisms that delegate username, password, and role management to specialized services might be more secure. |
Implementing Basic authentication in Quarkus
有关如何使用基本认证保护您的 Quarkus 应用程序的更多信息,请参阅以下资源:
For more information about how you can secure your Quarkus applications by using Basic authentication, see the following resources:
Role-based access control
{project-name} 还包括内置安全性,以允许基于 REST 端点和 CDI bean 上通用安全性批注 @RolesAllowed、@DenyAll、`@PermitAll`的角色访问控制 (RBAC)。有关更多信息,请参阅 Quarkus Authorization of web endpoints指南。
{project-name} also includes built-in security to allow for role-based access control (RBAC) based on the common security annotations @RolesAllowed, @DenyAll, @PermitAll on REST endpoints and CDI beans.
For more information, see the Quarkus Authorization of web endpoints guide.