Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

RESTful Authentication  RSS feed

 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I recently implemented my own authentication for RESTful web services within a grails application I am building. The process is that the user sends some credentials in the HTTP Header that a filter pulls out and then uses that to authenticate the user via Spring Security. Everything goes over HTTPS so I feel pretty safe about the security of that model. Recently, when looking at using a 3rd party RESTful API, I noticed that they are having us send credentials in the XML body in an authentication block. Again, this is going over HTTPS.

My questions are as follows:

1. When implementing a RESTful web service architecture, is one method preferred over the other?
2. Is there any reason one method might be more secure?
3. Is there are better / more secure / more standard way of handling authentication with a RESTful architecture?

I've looked a bit into implementing my own OAuth but to me, that seems slightly over complicated, at least for my needs right now. This isn't a system where millions of people need to utilize an API.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66203
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my opinion, requiring an envelope within the body makes a service non-RESTful. That's way too SOAP-y for my tastes.

Like you, I simply use HTTP authentication and that works just fine for me and my clients. It also has the advantage that GET requests can be made directly within a browser, and the browser knows how to prompt for credentials.
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I agree that it feels very SOAPy. I should be clear thought in that I'm not doing HTTP Authentication. Does that change your thoughts at all with regards to my question?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66203
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, using headers is still more RESTful than envelopes.

But I'd ask why not use HTTP authentication? It's well-supported by libraries that consume web services and understood by all clients (such as browsers).
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:No, using headers is still more RESTful than envelopes.

But I'd ask why not use HTTP authentication? It's well-supported by libraries that consume web services and understood by all clients (such as browsers).


Because I'm using Spring Security.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66203
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ah. Does that cause undue hardship on your consumers? (I was doing something similar, and found that it was much easier to consume the RESTful API using available tools if HTTP authentication was used.)
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Ah. Does that cause undue hardship on your consumers? (I was doing something similar, and found that it was much easier to consume the RESTful API using available tools if HTTP authentication was used.)


No, because we have one consumer right now, and it is the iPhone application that we developed. So everything is very controlled. I'm just trying to figure what to do in the future.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66203
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Got it!

Most of mine are consumed by "things out there", so making it easy to consume is in my client's best interest.


(Things are SO much easier when you are your own client, aren't they? )
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!