Win a copy of Learn Spring Security (video course) this week in the Spring forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

What security mechanisms or strategies are available with REST?

 
J Kilgrow
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another question that I have is around security.
I can secure a SOAP service with basic auth as a minimum but I can also do more advanced security like post backs to get userid and password.

What security mechanisms or strategies are available with REST?
 
Praful Thakare
Ranch Hand
Posts: 642
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
well REST is build on HTTP foundation so everything you can do with HTTP can be done here so simply sending 401 (If I am not wrong) from rest response will ask for login.


I am not sure if only authors should answer questions, if so , i take back my answer
 
J Kilgrow
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How does that work in a non-interactive environment like when I have to use REST from another service (service to service). For instance, if I have a soap service that needs to call a REST service, if the REST service sends a 401 back to the soap service, how...does that work? I guess that would be similar to a postback?
 
Praful Thakare
Ranch Hand
Posts: 642
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how would you call REST service from SOAP? I assume using Rest Client API, so obviously you have to write code to handle 401 (btw, it also needs header values) to call the redirected url with login credentials.
Browser (interactive as per your statement) does the same, once it gets 401 (login request) it prompts for userid/pwd and send that information to new URL.

this would be same as writing stand alone rest client in main method. This being in SOAP service makes no difference as the service code becomes client.

-P
 
J Kilgrow
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But in REST aren't all if the service parameters passed as URL parameters? Isn't that a little unsecure? I guess it would have to go over SSL...I would be interested to see what the various URL's look like. I guess it is time to put down the phone and dive into some code this weekend! :-D
Thanks!
 
Praful Thakare
Ranch Hand
Posts: 642
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ut in REST aren't all if the service parameters passed as URL parameters


hell NOOOO you can pass values to REST in body, how do you invoke POST?
just imagine if you have to write plain old Servlet (POS ) to handle rest calls, how would you do that? won't you call Post with username password in body? the frameworks we have help us to get rid of writing boiler plate code like mapping request to exact method, validation , formatting output etc etc.
but if someone wants to develop rest application with simple servlet no one can stop shim ..

-P
 
Praful Thakare
Ranch Hand
Posts: 642
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
okay, I just read message from Moderator in first post

Posts in this welcome thread are not eligible for the drawing, and should be reserved for welcoming the author. Questions posted in this topic are subject to removal.


so you may want to open new thread if you questions, don't want to break any rules here
 
J Kilgrow
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well I feel dumb. Yeah. That is exactly how that would work. Thank you for keeping me straight!

So...really nothing special about rest? Right? Really we are just using the underlying http infrastructure to pass information. Maybe that is over simplified but that is my first swing at a broad explanation about what REST is.
 
J Kilgrow
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ah! And if I could see the book promotion page I would have seen all the other posts. :'-(
 
Mohamed Sanaulla
Saloon Keeper
Posts: 3159
33
Google App Engine Java Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Praful Thakare wrote:okay, I just read message from Moderator in first post

Posts in this welcome thread are not eligible for the drawing, and should be reserved for welcoming the author. Questions posted in this topic are subject to removal.


so you may want to open new thread if you questions, don't want to break any rules here

Thanks Praful for noting this.
I have created a new post out this discussion.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic