Menu
I am developing several RESTful API for 3rd party to call, and these API need authentication (apikey & secret based), and authorization (HTTP method & URI based).
Are there any existing software we can reuse that prevent me from rolling out our own implementation for the security layer?
821
Specifying Basic Authentication in a Web RequestThe string "Basic " is added to the Authorization header of the request. The username and password are combined into a string with the format "username:password", which is then base64 encoded and added to the Authorization header of the request.
We'll highlight three major methods of adding security to an API — HTTP Basic Auth, API Keys, and OAuth.
HTTP gives you granted support for that, so you don't need to reinvent the wheel
Either use:
Auth Digest has advantage, that it does not transmit the passowrd in cleartext and handles replay attacks (with nonces).
We use HTTP Auth Digest (Tomcat servlet container has direct support for it) and we are content with it.
EDIT: Some clients have problems with Digest (not so trivial), so these days I would opt for Basic and SSL. Advantage for Basic is also that you can you preemptive authentication (sending user:pwd in first request).
116
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
