Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Supplying credentials safely to a RESTFUL API

I've created a RESTful server app that sits and services requests at useful URLs such as www.site.com/get/someinfo. It's built in Spring.

However, these accesses are password protected. I'm now building a client app that will connect to this RESTful app and request data via a URL. How can I pass the credentials across? Currently, it just pops up the user/password box to the user, but I want the user to be able to type the username and password into a box on the client app, and have the client app give the credentials to the RESTful app when it requests data. The client is built using Struts.

Cheers

EDIT - I don't think I made the question clear enough. I'm already forcing HTTPS, my question is more, in-code, when I'm requesting data from www.site.com/get/someinfo, how do I pass my credentials alongside making the request?

like image 674
mtrc Avatar asked Jun 03 '09 13:06

mtrc


2 Answers

You more or less have 3 choices:

  1. HTTP Auth
  2. Roll your own protocol, ideally HMAC challenge/response based
  3. OAuth

OAuth is currently susceptible to a variation of a phishing attack, one that is largely undetectable to the target. As such I wouldn't recommend it until the protocol is modified.

OAuth should also be a lesson about how difficult it is to design secure protocols, and so I'm hesitant to reccomend the roll your own route.

That leaves HTTP auth, which is likely best if you can use it.

All that said, almost everything on the internet uses form based authentication, and many don't even bother with https for transport level security, so perhaps simply sending the password text in the clear is "good enough" for your purposes. Even still I'd encourage using https, as that at least reduces the dangers to a man in the middle attack.

like image 110
Jason Watkins Avatar answered Oct 19 '22 20:10

Jason Watkins


If you can add HTTP headers to your requests you can just add the Authorization header:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

where you're using basic authentication and the QWxhZGRpbjpvcGVuIHNlc2FtZQ== bit is "username:password" base64 encoded (without the quotes). RFC 2617

like image 23
rojoca Avatar answered Oct 19 '22 20:10

rojoca