I've implemented a web application with form and OpenID authentication, but in addition I want make my webapp RESTful. On the other hand requests to REST should be accesible only to authenticated users.
What is the best way to make my REST service secure?
Look at this example . I guess that solves your problem. A little google search yielded me to that page.
Related
In my current work, I have to develop an intern REST API engine.
I have read the Roy Fielding thesis, documented myself, and I finally got something that works great easy to use, with high performance, corresponding to the Fielding REST spec.
There is only one point that I dont really know how to overcome : the security problem.
Again, I documented myself, and I wanted to use OAuth2.0 in my engine.
The problem is that I dont understand nothing at all how to use this protocol.
I dont understand how the consumer can connect himself and be recognized by the server.
I dont understand if I have to provide API key to my consumer(like Facebook, Twitter and Google make it) or if a token will automatically be generated if I send a login / password to the server
I dont know if I have to create my own OAuth2.0 server that provides keys, or if OAuth2.0 libraries are sufficient to provide security.
In fact, I dont understand nothing at all with OAuth2.0, and I need to learn. The problem is, every documentation that I try to read is like chinese, I didn't find an easy one, step by step that will help me with this.
That's why I post here, can you help me understanding a bit more OAuth2.0 and the secured authentication for API ?
I willingly didn't speak about the technologies, because I want to understand OAuth2.0 before applying it technically.
Thanks for all
The main problem with OAuth (both versions) is that you'll see a lot of talk about the three legged version. That is when you have user, a data-providing service and a consuming service, let's say a service that will create physical copies of your flickr photos. In this case the OAuth flow allows the user to tell flickr that the third party can access their data. This is not the scenario you are after, you are interested in 2-legged OAuth, see here for a description.
Of course you could look at other methods too. I've used HAWK in a number of REST/Hypermedia APIs and found it to be great to use in both nodejs and .NET server stacks.
Thank you for your answer, I studied a bit more OAUth2 en tried to implement it with 3 stragery : basic, clientPassword, bearer.
I created a new thread for an other problem, if you want to take part of it :
OAuth2 server creation with nodejs
I have a public SPA that is calling my backend REST service via JavaScript. How can I secure the REST service so that it will only accept calls from my SPA and no other clients or users?
Any way that I can think to secure it would involving storing some kind of secret, however because the SPA is written completely in JavaScript anyone can view the source.
The most common practice for securing an API is a combination of API-key & using SSL (https)
Here are some links that will point you in the right direction:
Theoretical:
http://www.slideshare.net/jfaustin/securing-your-api (from slide 17 onward)
https://security.stackexchange.com/questions/18684/how-to-implement-an-api-key-mechanism
Practical:
(.net) http://blogs.msdn.com/b/rjacobs/archive/2010/06/14/how-to-do-api-key-verification-for-rest-services-in-net-4.aspx
also, pluralsight (http://www.pluralsight.com/training)
Has amazing videos (unfortunately paid membership) on the topic & much more!
Hope it helps
I hope someone could help with this:
I am working on a php project and I need to implement the authentication of the application as a Service. I need to do something like Google where offers a Service to login in other applications using Google's Authentication Service (for example trello.com allows visitors to login with their google account).
I would like to clarify my mind, because I have no idea how to start it. I am using Symfony2 framework and I'm trying to work RESTFully, but basically what I need is just an idea of what I have to do or investigate to carry this out.
As the symfony Ecosystem is big, take a look at the FOSRestBundle for creating the API. Then there is the NelmioApiDocBundle for easy documentation of your REST-API. For authenticating you should consider OAuth, so take a look at the FOSOAuthServerBundle. With all three combined you can create a great API.
Also read this article, about REST APIs with Symfony2: The Right Way
I have setup FORM-authentication within web.xml (java-webcontainer) successfully.
I did not find a way to sent the username/password within the get-request of the restful-uri from my client when using FORM-Authentication. So I have to use BASIC-Authentication only for the restful-uri.
So I have this question:
How can I set up both form-based authentication and basic authentication?
Basic authentication should only be enabled for the restful-uri.
I was also facing a similar problem and I realized that if you are using Wildfly then its possible to configure multiple mechanism using web.xml:-
<auth-method>BASIC?silent=true,FORM</auth-method>
Using this silent basic authentication will be tried first, which is basic authentication that only takes effect if an Authorization header is present. If no such header is present then form authentication will be used instead.
Maybe its too late for a reply but I just updated this in case someone finds this useful :P
There were no responses here for a while, so I did a quick servlet refresher myself. Servlet specs indeed allow only one <login-config> element per web application, so there is no way to have an entry point with BASIC authetication for the REST API and another with FORM-based authentication for the UI. The only option is to build them as two independently deployable applications. To avoid code duplication, it might be a good idea just to let the UI application talk to the REST API the same way the third-party clients are supposed to.
I would like to have some guidance regarding how to handle authentication for my restful service to be able to support a couple of different scenarios, see included image?
I've been thinking about this problem for a couple of week without finding a solution for all of the cases and even if I'll make trade offs I'll be running into problems
If we skip the Mobile application and the use of Curl, there's no need to expose the service to the public and it would be possible to use basic authentication for the server to server communication. But we'll still need to put some responsibility at the "Web site for ninjas only" to pass the (openid authenticated user) as part for the http header?
In this case we're using Google apps to manage credentials for our co-workers and I don't like the idea to manage another username/password within the service if it's possible to avoid.
Is there any sustainable solution for my dreams, so that I can build awesome features for the client and implement a tight api that manages the authorization for different resources for a specific user?
Another possible to solution might be to integrate the service with the openid provider, but then I'll have problem with passing the user from "Web site for ninjas only"