| Author |
RESTful Authentication
|
Gregg Bolinger
Ranch Hand
Joined: Jul 11, 2001
Posts: 15230
|
|
I recently implemented my own authentication for RESTful web services within a grails application I am building. The process is that the user sends some credentials in the HTTP Header that a filter pulls out and then uses that to authenticate the user via Spring Security. Everything goes over HTTPS so I feel pretty safe about the security of that model. Recently, when looking at using a 3rd party RESTful API, I noticed that they are having us send credentials in the XML body in an authentication block. Again, this is going over HTTPS.
My questions are as follows:
1. When implementing a RESTful web service architecture, is one method preferred over the other?
2. Is there any reason one method might be more secure?
3. Is there are better / more secure / more standard way of handling authentication with a RESTful architecture?
I've looked a bit into implementing my own OAuth but to me, that seems slightly over complicated, at least for my needs right now. This isn't a system where millions of people need to utilize an API.
|
 |
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56540
|
|
In my opinion, requiring an envelope within the body makes a service non-RESTful. That's way too SOAP-y for my tastes.
Like you, I simply use HTTP authentication and that works just fine for me and my clients. It also has the advantage that GET requests can be made directly within a browser, and the browser knows how to prompt for credentials.
|
[Smart Questions] [JSP FAQ] [Books by Bear] [Bear's FrontMan] [About Bear]
|
|
Gregg Bolinger
Ranch Hand
Joined: Jul 11, 2001
Posts: 15230
|
|
|
I agree that it feels very SOAPy. I should be clear thought in that I'm not doing HTTP Authentication. Does that change your thoughts at all with regards to my question?
|
|
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56540
|
|
No, using headers is still more RESTful than envelopes.
But I'd ask why not use HTTP authentication? It's well-supported by libraries that consume web services and understood by all clients (such as browsers).
|
|
Gregg Bolinger
Ranch Hand
Joined: Jul 11, 2001
Posts: 15230
|
|
Bear Bibeault wrote:No, using headers is still more RESTful than envelopes.
But I'd ask why not use HTTP authentication? It's well-supported by libraries that consume web services and understood by all clients (such as browsers).
Because I'm using Spring Security.
|
|
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56540
|
|
|
Ah. Does that cause undue hardship on your consumers? (I was doing something similar, and found that it was much easier to consume the RESTful API using available tools if HTTP authentication was used.)
|
|
Gregg Bolinger
Ranch Hand
Joined: Jul 11, 2001
Posts: 15230
|
|
Bear Bibeault wrote:Ah. Does that cause undue hardship on your consumers? (I was doing something similar, and found that it was much easier to consume the RESTful API using available tools if HTTP authentication was used.)
No, because we have one consumer right now, and it is the iPhone application that we developed. So everything is very controlled. I'm just trying to figure what to do in the future.
|
|
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56540
|
|
Got it!
Most of mine are consumed by "things out there", so making it easy to consume is in my client's best interest.
(Things are SO much easier when you are your own client, aren't they?  )
|
|
 |
|
|
subject: RESTful Authentication
|
|
|
0
