What is REST when using in WEB ?
Too many documentations, but is it just a simple attitude using existing html protocol, that may replace web-services.
Is it as following?
Like PAYPAL ...
Just using method from a specific server using http protocol: https://?
and on the server side using the value by get/post methods.
Entities:
Clients - every client that has access to server A (for the specific service).
Server A - Server (for the client use) that has an access to server (with an access key, like PAYPAL supports).
Server B - Server that has the API with some methods that returns to client.
Steps:
1. User ask from server A (server A uses the API) for a token.
2. Server A open a session with server B and send request for token (with the access key provided) to server B
3. Server B may reject or accept the request and send back the token to server A.
4. Server A may keep the token in session variable and send the token to the client.
5. Client use the token
6. Client send requests to server A, that send requests to server B with the token, keeping the same session.
Is the above correct?
Is that the concept of REST?
If not - need some guidelines, please.
Thanks :)
I think the concept of tokens is beyond the REST concept.
Rest (Representational state transfer) has more to do with the way you use the http methods to represent your desired action, like going to /users with get should give you back an arrays of users, then post in /users/1234 should create a user with id 1234 for example, or delete in /users/1234 should delete the user with 1234 id, etc.
It is an architecture where the http methods have a meaning.
Anyway there are more details of it, I would continue to read more with below;
http://en.wikipedia.org/wiki/Representational_state_transfer
Related
For projects that will take place in the future, it is important that my own REST server will be created. Now, I have been working on this for a few weeks, and everything concerning the REST server is ready. I can give requests and receive responses. I am just missing the security through OAuth2.
After some research, I found the authorization server from carlosHE. Now, I have everything installed in Delphi, but I do not understand how I can get the authorization workable for my REST server.
Are there people who have experience with applying the OAuth2 protocol to REST servers using carlosHE/oauth2-server? Or, maybe there are other ways that work?
Draft answer:
The client must get an access token from the OAuth2 server. (how to authenticate the client is a different question)
The access token must be stored server-side, so that the REST server can validate client REST requests.
The client then can send REST requests which contain the access token. (typically sent as a HTTP header value)
I want to develop a java application with REST web services, as it will have browser client and mobile client. My concern is session management, could anyone suggest me what is the best and recommended way to manage the session. Scenario: An employee will login and then he will call for other services like salary details, work hour details, permanent address etc. Here all these details will be exposed as individual REST web service. After login of employee any further request like request to see the permanent address will be REST service call. Please provide me the best and recommended solution.
In scenario where you want to support mobile as well as web application, token based authentication and session handling can be a good approach you can follow.
You can either go with existing token based third party API's like (OAuth2) or you can create your own token based session management system.
Proposed Solution :
Whenever your application get's first hit create and save the random token (say 64 bit random generated string).
Mobile and Web Application will save this token in it's memory and send this token in headers every time it makes a webservice call.
You will need one web service which will accept all your request and redirect request to your application only when token is valid. If token is invalid it deny access to the applicaton service. (Gateway7 works in same way)
You can pass a key for every webservice url. say app.xyz is my identifier. Which points to xyz url of my application 'app'. So your url's will be maintained at server and client will only have identifiers and one URL of your token validator application say 'Token Handler'.
So in this 'Token Handler' application you can set your session time. This will be time for which your token will be valid. So if you don't get any hit from that particular user for say 15 minutes then you will mark it as invalid token for next request.
Please let me know we can have discussion if you need any additional help on it.
I am creating my first webapi project using ExtJS for the client-side and trying to understand login procedures. I'm trying to understand what SESSION is used for and if I use REST, SESSION should not be part of it.
REST by design is stateless. By adding session (or anything else of that kind) you are making it stateful and defeating any purpose of having a RESTful API.
The whole idea of RESTful service is that every resource is uniquely addressable using a universal syntax for use in hypermedia links and each HTTP request should carry enough information by itself for its recipient to process it to be in complete harmony with the stateless nature of HTTP".
I'm a bit confused on session... normally, when a user logs in the sessionID is recorded somewhere on server? Then when user makes another request, url sends this sessionID back to server and if the ID is valid proceed with request.
Do I have this right?
On the other hand with rest the request message basically sends the username/password everytime a request is sent.
Do I have this right? Using REST on my webapi, can I skip the whole concept of SESSION and just keep sending username/password... or is there a better way?
can I skip the whole concept of SESSION and just keep sending
username/password... or is there a better way?
Yes, Web API has Token based Authorization - Bearer token. By using it, you can totally avoid using Session State.
Secure a Web API with Individual Accounts and Local Login in ASP.NET Web API 2.2
In a nut shell, when a user is successfully authenticated, server issues a token instead of session state. Then every request, the user sends the same token along with the payload.
I am building a RESTful web service using ASP.NET web API. I've read that it isn't very RESTful to use session authentication since a "login" request is required before any other request can be successfully made. In addition, it requires the client to maintain state.
My original design was to have the client call a "login" request using basic HTTP authentication over SSL. The web service would then verify the credentials and respond with a session key. The client then uses that session key to sign all subsequent requests. When the web service receives any of these requests it looks up the session key, signs the request in the same way, and checks if the two signatures are equal.
Is it possible to avoid this session authentication without having to send the username/password with each request? The credential verification does not happen within the web service (it is routed to another server that maintains users). I'm concerned that performance will be affected if I need to validate each request.
It's not possible. You either store the state or get the credentials with each request. The second option is what you would want with your HTTP API.
Depends what you mean with "validate"
you could e.g. cache the hash(username+password) in your application. And on subsequest requests check if the cached entry still exists. This way you can save roundtrips to your backend store.
I have a set of REST services that I ONLY want my web application to consume. I do not want my users to be able to use their credentials and have the services consumed by a third party application (since my data is paid for). I there a way to ensure that only my javascript can make calls to the services from a browser that cannot be spoofed (request headers and user agent detection for instance will not work.)
This is probably more of a creative problem.
I am also providing a REST API. I use a mix of an API Key which is always static an can be spoofed. Next is a signature which will be generatet on clinet side and prooved on server side on each request. The signature is build by a combination of all parameters AND a secret password. this prevent a man in the middle from executing for example the same call with another parameter.
Only bad is that a spoofed request can be sent again. I dont know already how to prevent that.
Signed client certificates and HTTPS.