Reputation: 64207
What are conventional and best practices for REST web service quthentication?
I am starting a new project (a web application) and would like it to retrieve and submit the most of its data through REST web services with AJAX. But I hardly have a good idea of how to ensure a web service to know who is accessing it and only give the data to those who are eligible.
Upvotes: 0
Views: 1736
Answers (1)
Reputation: 46
REST web services are stateless, so the authentication should also be stateless.
The most commonly used method for this authentication is to use HTTP authentication headers (details here --> http://www.ietf.org/rfc/rfc2617.txt). Here the pre-requisite is that your should be using SSL\HTTPS otherwise these HTTP authentication headers will become vulnerable to Man in Middle Attack.
If your website doesn't use and SSL then you should probably look to other methods of authentication, this (http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/) article discusses in detail about all those methods. It basically describes mechanisms which are used by Amazon Web Services to authenticate non SSL reqeuets.
Hope this will help.
Upvotes: 3
Related Questions
- Securing REST API without reinventing the wheel
- Authentication for REST web services
- REST Web Service authentication token implementation
- Restful web service authentication
- End user authentication for RESTful web services
- How to secure RESTful web services?
- Designing a web api: How to authenticate?
- Authentication in a RESTful web-service
- webservice authorization best practices
- Web Services authentication - best practices?