I am trying to create a RESTful web service using Jersey framework on google appengine. I am using apache shiro for authentication.
Let's say I have the following scenario:
There is a admin user pre-configured which creates other user and provides the username and password offline to each of those users.
For the normal users, there are a number of REST APIs. There is one API:
GET /tokenInfo which should use username and password for authentication and return a UserId and token as response.
For all the other REST APIs, I want the credential used for authentication to be the UserId and Token instead of Username and password.
So basically it a scenario where the credential pair used for authentication varies based on the API.
How can I achieve this in shiro. From what I understand, doGetAuthenticationInfo() passes the credentials sent by the client and expects you to validate, but in this case, I need to know which API is called. So is there a way to get the URL?
If no then what other way is there to achieve this?
Sounds like you would need to create a custom filter, to build the type of token you want to pass to your realm, take a look at one of the defaults as an example:
https://shiro.apache.org/web.html#default-filters
Related
I am creating a rest api to be the backend for a messaging app. I want a user to only have access to their own data. For example user1 can call /users/user1 but not /users/user2. How would I go about doing this.
So first the user will login and be authenticated via their username and password. But where do I go from here? I was thinking of storing a token with the users data so when they access it I can verify that the pair matches but there must be a better way to do this. Do I need to restructure my api?
After the user logs into the system, you should provide them a token or initialize a session for that user. In each consecutive call, the user should send the token to the API. As long as the token/session is alive user should be able to call the API.
You should have a way to verify the user token in the backend for each API call. A very popular way of doing this is to use JWT(JSON Web Tokens) based authentication.
See here for an example using python and flask: https://realpython.com/token-based-authentication-with-flask/
Once you verify the user, you should parse the user id to the database query in order to filter out the data for that user.
Even though I don't understand your full use case, it seems like you need to restructure your API calls as well. You should not provide API calls per user. What happens when the numbers of users increase in your system dynamically?
So you should either accept user id as a parameter or you should let the JWT authenticator take care of it.
Example REST API call would be
GET /user/data?userId=1234
My project include a web application, a mobile app and a REST API module.
The mobile app is made with Ionic 3 for android and uses a REST API located to an address like example.com/api.php on a server with https. The API has access to a MySQL database.
For the users who access the API I have to create the login/access to API function/logout since they already have the accounts created in the web application.
The main concern is to implement a secure login. Meaning, if someone tries to access my API without authorization (knows the address, the functions name or the used parameters name) to recive an error message. In order to access the API you must be logged in and to have the right to acces a certain section (I have multiple levels of access).
But how can I detect if an user that access my REST API is logged in and has the proper rights?
The plan:
For the login step
In order to access the REST API I have to login with username/password in app. I check if the credentials are correct (if the user exists then I determine the access level) and return a JWT with the user ID and other parameters if necessary (a token). Store in phones local storage the JWT.
To secure the access to REST API functions
The question is: HOW DO I DO THAT? How do I access secure a function from my REST API?
for every request that I make to the REST API should I send also the token from the Local Storage and verify it on the server side?
how do I perform the validation on the server? Do I store the token on the device and also on the server and compare them for each request?
Thanks a lot!
There are multiple ways to do it, it's all depends on you. Hence i am sharing the method i generally use, but not claiming it is most secure way.
We use encryption, decryption with private key. for example:
Register User Web-Service
ex. we have 4 params 1. username 2. name 3. email 4. password. with my register web service.
We will create SHA256 Hash using data concat with private key. then we will pass the hash key to server and at server side we will generate hash key with same method and compare both.
ex. string with private key = usernamenameemailpasswordprivatekey
sha256 of string = 7814b2d22af647308884acff0be4c675b7f72ba000cf1e8390520100cc930e74
You may have any sequence of your data string and same method will work with your server. Always use SSL certificate with your server for more security.
When I use public APIs from web applications, I am provided with an API key that I use inside my client, as a string.
Now suppose I design a REST API for internal consumption. Let's say for a mobile app eshop. The user of the eshop logs in with a username and a password.
Does that mean that my client won't use API key authentication but username and password? I also see OAuth2 a lot in REST APIs, which also seems like a key-oriented authentication. Are they just different types, all valid ones? The API keys are usually issued for developers though, could that work with customers?
It could work and it's also what you will be seeing in many cases. You login with username and password (POST request) and the server returns you an authentication token which you store in a Cookie through response headers. When user specific information is being required you would be using that token to authenticate, similar to how OAuth2 and dev keys work.
Based on my understanding on your question -
There are methods or way on how you can authenticate your api. Some of the common ones are through Oauth, Token authentication and Basic auth (username and password).
You can read some of the concepts here - http://www.django-rest-framework.org/api-guide/authentication/
Hope this helps
I'm evaluating whether to use Ionic's cloud Auth service and it seems like it's relatively easy to implement client-side, where you can check this.auth.isAuthenticated. You can also set the user info from the client side as well.
However, if I want to do check their identity server-side, such as check that a user is authenticated when they call my custom api to post a comment - how can I get some sort of token (preferably a JWT token) that I can use to validate their identity server-side? Assuming we are using email/password authentication.
Also - using their send notification on a user's birthday example, how can I query the user data in ionic cloud's database to say find all users who have a birthday today. Can I export out the user data in any way if I want to migrate away in the future?
You should implement a JWT authentication service server side.
In other words when the user is authenticated, the app can send a JWT token to the server which should be evaluated to trust the remote user.
For more info reads: https://docs.ionic.io/services/auth/custom-auth.html
A php example here: https://github.com/driftyco/custom-auth-examples/tree/master/php
Regards from Italy
I am using laravel 5.1
I want to make login using REST api. I have searched about Sentry. But there is no documentation for Laravel 5. I don't know it will work with laravel 5. I just want to know what is the best way to login my laravel application using REST?
Laravel for Rest API development Good Choice
Even I am using it for Rest API development
For Login I am using a session field from database which acts as token for validating user accessing the API
so, if the request has the session token and it matches to the token from database then its a valid request
this approach is taken by me for validating request to my API, And every login I am resetting the token
How to create the token
Token should be able to identify the user i.e. which user is sending the token for that I am creating token by hashing userID + salt(Random and very long string).
How it works
User who is able to access the API sends login credentials, if the credentials are valid I am creating token for the user and storing the token in database with the user whose credentials are provided and sending the token value to the user as response and next time I am validating each request with the Access token
Recommendation
Instead of Laravel you can consider using Lumen(A micro-framework by Laravel) also for developing rest API.
For detailed information about rest and rest authentication
How to do authentication with a REST API right? (Browser + Native clients)
What exactly is RESTful programming?
What is REST? Slightly confused
RESTful Authentication