I recently implemented my own authentication for RESTful web services within a grails application I am building. The process is that the user sends some credentials in the HTTP Header that a filter pulls out and then uses that to authenticate the user via Spring Security. Everything goes over HTTPS so I feel pretty safe about the security of that model. Recently, when looking at using a 3rd party RESTful API, I noticed that they are having us send credentials in the XML body in an authentication block. Again, this is going over HTTPS.
My questions are as follows:
1. When implementing a RESTful web service architecture, is one method preferred over the other?
2. Is there any reason one method might be more secure?
3. Is there are better / more secure / more standard way of handling authentication with a RESTful architecture?
I've looked a bit into implementing my own OAuth but to me, that seems slightly over complicated, at least for my needs right now. This isn't a system where millions of people need to utilize an API.
In my opinion, requiring an envelope within the body makes a service non-RESTful. That's way too SOAP-y for my tastes.
Like you, I simply use HTTP authentication and that works just fine for me and my clients. It also has the advantage that GET requests can be made directly within a browser, and the browser knows how to prompt for credentials.
Ah. Does that cause undue hardship on your consumers? (I was doing something similar, and found that it was much easier to consume the RESTful API using available tools if HTTP authentication was used.)
Bear Bibeault wrote:Ah. Does that cause undue hardship on your consumers? (I was doing something similar, and found that it was much easier to consume the RESTful API using available tools if HTTP authentication was used.)
No, because we have one consumer right now, and it is the iPhone application that we developed. So everything is very controlled. I'm just trying to figure what to do in the future.