• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

RESTful Authentication

 
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I recently implemented my own authentication for RESTful web services within a grails application I am building. The process is that the user sends some credentials in the HTTP Header that a filter pulls out and then uses that to authenticate the user via Spring Security. Everything goes over HTTPS so I feel pretty safe about the security of that model. Recently, when looking at using a 3rd party RESTful API, I noticed that they are having us send credentials in the XML body in an authentication block. Again, this is going over HTTPS.

My questions are as follows:

1. When implementing a RESTful web service architecture, is one method preferred over the other?
2. Is there any reason one method might be more secure?
3. Is there are better / more secure / more standard way of handling authentication with a RESTful architecture?

I've looked a bit into implementing my own OAuth but to me, that seems slightly over complicated, at least for my needs right now. This isn't a system where millions of people need to utilize an API.
 
Marshal
Posts: 67447
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my opinion, requiring an envelope within the body makes a service non-RESTful. That's way too SOAP-y for my tastes.

Like you, I simply use HTTP authentication and that works just fine for me and my clients. It also has the advantage that GET requests can be made directly within a browser, and the browser knows how to prompt for credentials.
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I agree that it feels very SOAPy. I should be clear thought in that I'm not doing HTTP Authentication. Does that change your thoughts at all with regards to my question?
 
Bear Bibeault
Marshal
Posts: 67447
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, using headers is still more RESTful than envelopes.

But I'd ask why not use HTTP authentication? It's well-supported by libraries that consume web services and understood by all clients (such as browsers).
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Bear Bibeault wrote:No, using headers is still more RESTful than envelopes.

But I'd ask why not use HTTP authentication? It's well-supported by libraries that consume web services and understood by all clients (such as browsers).



Because I'm using Spring Security.
 
Bear Bibeault
Marshal
Posts: 67447
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ah. Does that cause undue hardship on your consumers? (I was doing something similar, and found that it was much easier to consume the RESTful API using available tools if HTTP authentication was used.)
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Bear Bibeault wrote:Ah. Does that cause undue hardship on your consumers? (I was doing something similar, and found that it was much easier to consume the RESTful API using available tools if HTTP authentication was used.)



No, because we have one consumer right now, and it is the iPhone application that we developed. So everything is very controlled. I'm just trying to figure what to do in the future.
 
Bear Bibeault
Marshal
Posts: 67447
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Got it!

Most of mine are consumed by "things out there", so making it easy to consume is in my client's best interest.


(Things are SO much easier when you are your own client, aren't they? )
 
I can't beleive you just said that. Now I need to calm down with this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
    Bookmark Topic Watch Topic
  • New Topic