Menu
As per REST spec, the service is supposed to be stateless; but then it becomes difficult to enable authentication. Some of the stuff I have read said "making REST stateful is not end of the world". But that's not the point, the point is to follow the spec and be consistent.
So, I am asking this question here in a hope someone could guide me in the right direction. I am working with Spring MVC to create a REST Service. I do not have views. It is a true REST Service which consumes/produces JSON. I need to have authentication (and authorization down the road) mechanism for this application that is stateless and follows REST specification. The client will be written in JavaScript (Backbone.js, CoffeeScript) and will accept username/password from a User. Then it will post that information to the server.
How can I achieve true stateless authentication (and authorization) in a Spring based application?
Digest Authentication over SSL - Is this the way to go?
234
Users of the REST API can authenticate by providing a user ID and password to the REST API login resource with the HTTP POST method. An LTPA token is generated that enables the user to authenticate future requests. This LTPA token has the prefix LtpaToken2 .
One of the most common authentication methods used by REST APIs is username and password authentication. There are several different types that use a username and password but the most common one is HTTP Basic authentication.
Users of the REST API can authenticate by providing their user ID and password within an HTTP header. To use this method of authentication with HTTP methods, such as POST, PATCH, and DELETE, the ibm-mq-rest-csrf-token HTTP header must also be provided, as well as a user ID and password.
Session management is different from the state management.
You server side during the handshake can generate a token and every time the client makes call it will have to add that token either to the head or else where for your server to be able to analyze and decide if you can allow the call to continue on.
Server does not need to maintain any state to check the validity of that token that can be done using some algorithm .
107
Have you looked into how Spring Security works ? Using Spring Security I have been able to add custom HTTP Authorization Headers from the client in the REST Request. This is extracted server side, the requesting user is authenticated, and it is possible to authorize access to specific resources.
23
You can use either Basic or Digest authentication over SSL, neither of which implies anything significant about the state. There may also be a cookie sent back by the server, which your client will need to send back when it does further requests (I believe that the Javascript code will handle all that for you). There are other authentication mechanisms possible, but they're more complex and not necessarily suitable. (The other key proper-stateless one is client-authenticated SSL, but that requires the browser to have a client SSL keypair installed and for the server to know what that identity means and it's quite a bit more complex to deploy.)
On the server side, use Spring Security as that makes it pretty easy to handle all this stuff. It works well with Spring MVC.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
