REST authentication / authorization

Question

I need some advices on how to secure my application:

I have a REST service, using Spring MVC 3

I have my client application, using Ext GWT 2.2

Users credentials are available on the server side only.

SSL available

REST services should only be used by authentificated users.

I have read about HTTP Digest , token based authorization, oAuth etc, but I need some clarification and advices on how to secure my application, and which methods are the best in my case.

Answer 1

here is the methodology we created for our applications, works very well, and is very secure.

this is a very conceptual explanation, there is a lot of code that backs this up, FYI

• When user authenticates or creates account, the server returns an x.509 certificate, base64 encoded, that is unique to for the user. The server stores a copy.

• Everytime the client needs to access the REST API, client creates a JSON string comprised of the following.

• The Users Unique ID (UserID)

• A GUID or UUID, that guarantees this call is unique,(CallID) (protects against replay attacks)
• A Dictionary (collection of Key/Value) of each parameter of the rest call

we then encrypt that string with the x.509 public key, and encode it back to base64 string, and take this encrypted value and add the UserID to a json object we call the token.

we then put the token into header of each call, and call it something like: X-Auth-UserToken

On every call the server takes the token, looks up the users certificate based on the userID, then verifies that the encrypted part of the token can be decrypted with the private key that the server holds for the user.

once decrypted, the server takes the CallID and verifies that it is unique, against its own calllog db.

if it checks out, the user is authenticated.

once the user is authenticated, you can apply your own authorization rules based on the users uniqueID.

of course, all the above is over SSL.

let me know if you need me to drill down on any parts.