Reputation: 79
Simple REST authentication
I'm working on my own project (mostly for education) and I need to create authentication & authorization mechanism for my REST service. I've read a few articles & some good answers here, but i still can't understand the process completely. So from my point of view the simple process of authentication & authorizationshould look simething like this:
- User enters login and password in the web browser. But is it safe to pass credentials as regular parameters in the url? Even after client-side encryption.
- If valid credentials were passed REST service returns some token, which is unique for each user. This token should be passed in http header for every request and define user permission (i assume SSL is mandatory in this case). But where user should store this token? Is is approach safe?
- Each request should be passed through filter that compares user permission (fetched from token in header) and resource permission. In case access should be denied 401 error will be returned.
So that's how I see solution, but it doesn't seems secure and reliable so far. Any corrections/advises/suggestions/links ?
Thanks in advance for everyone!
Upvotes: 2
Views: 389
Answers (1)
Reputation: 79
Okay, I've spent some time investigating my problem and here is the solution i found
- Thanks to Suketu for comment! Credentials could be passed in the url using POST & HTTPS.
It's ok to add custom token to every request, but also cookie-based auth is acceptable. What about my question: there 2 types of HTML5 Web Storage
1) window.localStorage - stores data with no expiration date
2) code.sessionStorage - stores data for one session (data is lost when the tab is closed)
Useful links
If you want to get more information about cookie-based vs token-based auth you can dive into AngularJS article (https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/)
IMHO good question of how to generate tokens & related questions (https://security.stackexchange.com/questions/19620/securing-a-javascript-single-page-app-with-restful-backend)
A guide for web storages (https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Storage#localStorage)
And a guide for java developers how to create REST service auth(http://howtodoinjava.com/2013/06/26/jax-rs-resteasy-basic-authentication-and-authorization-tutorial/)
UPDATE A little bit more up to date article about auth with jax-rs 2.0 and jersey (http://www.theotherian.com/2013/07/creating-resource-filters-with-jersey.html)
Hope this will be helpfull for someone :)
Upvotes: 2
Related Questions
- REST API Authentication
- HTTP basic authentication over SSL for REST API
- Rest API under https security
- REST authentication / authorization
- Rest Webservice Basic Authorization
- RESTful API security
- Simple RESTful API authentication
- Decent but simple authentication for Web REST API
- Is this Security/Authentication ok for my REST API?
- REST(ful) simple authentication without SSL and HMAC?