Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

REST HTTP Authentication - How?

Tags:

java

authentication

web-services

resteasy

So, I'm developing a REST webservice using RESTeasy and Google App Engine. My question isn't related to GAE, but I mentioned it just in case it matters. It happens that naturally I need to secure my resources and my own users (not Google's).

Securing a REST webservice seems like a very controversial subject, or at least a very 'liberal' one. REST doesn't impose any standard on this matter. From what I've researched on the web and literature, there are at least 3 approaches that I think might fit in my application:

  • HTTP Basic (with SSL)
  • HTTP Digest (with SSL)
  • OAuth

OAuth seems like the most complete approach. But I don't think that such a complexity is needed because I will not need to authorize any 3rd party applications. It is a webservice to be consumed by my own client applications only.

HTTP Basic and HTTP Digest appear as the most simple ones on the web, but the fact is that I've never found a concrete implementation of them using RESTeasy, for example. I've found this page and this one in RESTeasy's documentation. They are indeed very interesting, but they tell little or nothing on this subject (HTTP Basic or Digest).

So, here I am asking:

How do I secure my WebService using HTTP Basic or Digest in RESTeasy?

Perhaps it is so simple that it isn't worth mentioning in the documentation or anywhere else? Also, if anyone can provide me some insight on the matter of securing RESTful webservices, it could be helpful.

Am I choosing the right approaches?

like image 620
miguelcobain Avatar asked Sep 09 '25 22:09

miguelcobain

2 Answers

The simplest way to secure a REST API is to use HTTP Basic authentication over SSL. Since the headers are encrypted there is not much point of using Digest. This should work great as long as you can keep the password secure on the client(s).

like image 71
Luke Francl Avatar answered Sep 12 '25 11:09

Luke Francl

I've managed to accomplish this by using RESTeasy's Interceptors. Basically the requests are intercepted by using a listener like class. In this class I inspect for the request's HTTP headers and then the normal Basic-Auth process goes on.

Useful links:

http://en.wikipedia.org/wiki/Basic_access_authentication
Passing parameters in the message header with a REST API
http://www.alemoi.com/dev/httpaccess/ (the Servlet part)

I hope this helps anyone.

Thanks.

like image 41
miguelcobain Avatar answered Sep 12 '25 11:09

miguelcobain
Sign in to Comment

Related questions

Netty slower than Tomcat
Swagger ApiModelProperty access
Get Cell ID and LAC in CDMA BlackBerry devices (OS5 and greater)
Cordova PhoneGap upgrade to 5.1.1 from 2.2.0
Why does java.lang.Long's .longValue() cast its (long) instance value to long?
Depth First Search and Breadth First Search Understanding
How to place markers on google map
Spring boot - sending emails with Logback
Java File System Int or Double
RPC Error with Geocoder
GWT "database" (client-side)
Is there an embeddable Java alternative to Redis?
Back Projection in Java with OpenCV
Java BlockingQueue latency high on Linux
How to retrieve snapshot of map from place-picker activity?
Usage of multiple inheritance in Java 8

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!