Reputation: 273
SSL and authenticating users
I have a REST API which clients connect over SSL (self signed cert 2048bit)
I was thinking of implementing the following security
- The client requests a RSA public key from the server
- Encrypts the username / password
- Adds these to the header of EVERY REST call allowing the server to be stateless
The application involves users adding credit cards (the numbers themselves are encrypted) and purchasing products so security is critical
We also have very limited time from a iphone client point of view so I was hoping if the above would be suitable?
Upvotes: 1
Views: 93
Answers (1)
Reputation: 20885
Usually, when it comes to security, one doesn't want to reinvent the wheel. It's way better to use state-of-the-art technologies, so you'll benefits from others' (likely more skilled than you) work.
If you have a RESTful API on SSL, I don't think you have written your own custom TCP protocol. Likely you'll use HTTP, so since it's on SSL, you are on HTTPS.
When using HTTPS, your browser makes sure that the request is signed and encrypted so that only the other end (the service) can authenticate the client and decrypt the message. So there is no need to encrypt data and using custom headers. A simple cookie-based session is enough so you don't send users' passwords in every request.
Upvotes: 1
Related Questions
- Rest api in java using https
- Java HTTPServer Authentication - Client Side
- How to communicate over SSL from a client in Java
- Basic Auth over HTTPS Java
- How to do basic http authentication in JAVA with login credentials and ssl certificate?
- Basic authentication with HTTPS
- Java: how to add SSL client-side authentication
- How to authenticate users in Java(REST) app?
- REST Authentication
- SSL authentication in Java as Server/client model