Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authentication in a RESTful web-service

Tags:

rest

spring

web-services

spring-security

I'm building a restful web-service based on Spring. I'm using Spring Security. It will be accessed only by desktop applications. Basically a machine-to-machine web-service.

  • I want a custom service that does the authentication. Then perform other, more sensitive operations based on the result of the authentication.

  • Another option is to send the credentials in the body of each request and basically do the authentication each time.

Logic says that the first approach would be the most efficient because there is quite some overhead in authenticating each and every time.

What do you suggest related to this? To go stateless or stateful? Are there major disadvantages to the stateful approach?

Up to this point I read some chapters from Java Web Services Up and Running and also several questions from SO such as this.

like image 391
Ariel Chelsău Avatar asked Jun 17 '12 17:06

Ariel Chelsău

People also ask

What is authentication in RESTful API?

Basic authentication is an HTTP-based authentication approach and is the simplest way to secure REST APIs. It uses a Base64 format to encode usernames and passwords, both of which are stored in the HTTP header.

What type of authentication should I use for REST API?

One of the most common authentication methods used by REST APIs is username and password authentication. There are several different types that use a username and password but the most common one is HTTP Basic authentication.

What is authentication in Web services?

The Web Services Security message receiver authenticates the sender by validating the user name and password against the configured user registry. With the LTPA method, the sender attaches the LTPA BinarySecurityToken it previously received in the SOAP message header.

1 Answers

The REST way to do this is, as stated in the links you provide, to authenticate on each request, and NOT to keep sessions.

As for authenticating with username/password on each request, it is secure if you can use ... a secure layer (https); else, the pair is sent in clear text and discoverable.

Another option is to use something like the AWS way to do it (Links to Amazon here and here, for example). Here for other explainations : buzzmedia and samritchie

Maybe OAuth is an option, but I don't have experience with it.

like image 90
jmclem Avatar answered Sep 29 '22 15:09

jmclem
Sign in to Comment

Related questions

Can I use Rails without a database at all and only calling web services?
WCF IList Serialization Issue
Nested complex-type elements never get populated when calling AXIS-based web service from .NET
Embedded Jetty and SOAP
Expose webservice directly to webclients or keep a thin server-side script layer in between?
C# How can I return my base class in a webservice
Documenting POST parameters with WADL
Using Active Directory Web Services in .Net application
Web Service: Single String Parameter Or Complex Type Parameters
SAP Web Service from .NET via WCF
How to decode XML response from jQuery $.ajax request in Firefox
How do I generate both client and interface code from WSDL.exe?
PayPal subscription upgrade
How to create a relationship between Leads and Custom Modules in SugarCRM CE?
What's a good Java library for dynamic SOAP client operations?
How can I specify a Default value dynamically in Jersey?
WCF Data Service vs. WCF Service Library
Apache CXF + Spring: Simple Certificate Authentication
Why win32 thread doesn't exit automatically?
Stream Large File to Web Service

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!