Reputation: 1638
User Authentication using REST
I apologize if my questions seems to be repetitive but I couldn't find a answer for this yet.
I am building a REST based application using Spring 3.0 and plan to deploy to Google App Engine eventually. Now my clients could be Native Android, iPhone, or a Web Based Client.
My users need to login using username and password stored in server inside a persistence layer. Now say my Android client opens the app and login screen is shown is user. Now user types in username and password.
I know it would be a post and say my service endpoint is registration. So it would be something like
POST /registration
Now I plan to put username and password in body of message in Json or XML format. My question is "is this the right way to do it?" I am planning to make it SSL but how should I really send this sensitive info like this in body . I plan to return an OAUth token on successful authentication and use that to validate the user in all future services calls.
Thanks in advance.
Upvotes: 5
Views: 3092
Answers (2)
Reputation: 142014
Use the authorization header for sending the username and password information. That's what it is there for.
Upvotes: 2
Reputation: 152
Sounds like you have the right idea. SSL should ensure whichever method you choose to send it in is secure.
Remember to salt + hash the passwords before storing them: web cryptography - salted hash and other tasty dishes
Upvotes: 2
Related Questions
- RESTful Authentication via Spring
- How to do a RESTful login API using Spring Security?
- How to use RESTful with Basic Authentication in Spring Boot
- Spring boot Restful API: Simple authentication
- Authenticate client over RESTful API server built upon Java Spring Framework
- Spring REST, user ressource and password
- Spring authentication through REST Service
- REST Authentication
- Handling Authentication using restful web service in android
- Spring 3 REST android user authentication