Reputation: 64207
How to authenticate a Lift REST web service client?
I am developing a REST web service with Scala and LIFT and nave hardly any good idea on how to authenticate a client. I was thinking about a standard HTTP authentication, but found out it is very insecure as it passes passwords over a network in b64-encoded plain text. So how do I better do it?
Upvotes: 2
Views: 1014
Answers (2)
Reputation: 12601
Basic authentication will pass password and user name in (nearly) clear text. If you use digest authentication instead it will still be prone to man-in-the-middle eavesdropping, but you should be safer from password theft and session takeover. This chapter in Exploring Lift have some information about digest authentication in lift: http://exploring.liftweb.net/master/index-9.html
Upvotes: 0
Reputation: 44386
If you want authentication to be secure against being observed in transit, your only realistic option is HTTPS. Technically, there are key-exchange protocols like Diffie-Hellman, but they aren't widely supported.
But the problem of observing packets in flight is almost a nonexistent one. In a shared LAN, it is possible, though not necessarily easy, to use a tap like FireSheep -- but it typically would be easier and more effective to walk over to the guy's computer and install a key-logger.
Upvotes: 1
Related Questions
- Scala Lift: uniform authentication with form based login and HTTP basic auth?
- Lift login form
- liftweb rest server POST request
- Lift Authentication
- Output webservice request parameters (GET/POST) with Lift
- how to serve a Lift/Scala Json webservice from mapper persistant class
- Lift REST service not recognizing PUT request
- using REST webservices as a datasource for Lift?
- Get currentUser inside a Lift RestHelper
- Modifying the response for Auth failure using LiftRules.responseTransformers