Best IT Recipes

Password protecting the REST service?

After creating the basic REST service, I came to the point where it would be advisable to add some password protection, since I need to check that my users are correctly registered and have sufficient permissions to perform any actions that they are going to do.

The REST service will be available mainly from the Javascript-heavy interface, and with this in mind, I came up with the following two alternatives to solve this problem:

  • Log in by first sending credentials to the /login page using POST . The page sets the session cookie in which the user is marked as registered, along with the permission level. For each next request, I confirm that the user is logged in and his / her permission level. When the session expires, automatically or manually (logout, the user will have to log in again).

  • Temporarily storing credentials locally hashed and sending user credentials for each individual user request to verify credentials and credentials based on the request for each request.

Are there any other ways to solve this problem and is there anything else I should bother?

+13
authentication rest
Dec 19 '11 at 13:44
source share
5 answers

I am currently developing a REST API with a client (written in javascript), below I will try to explain the methods used to protect the API from unauthorized access.

  • Make the required Auth-Key for the REST API with every API request, except /api/authenticate .

  • /api/authenticate will enter a username and password (sent using POST ) and return user information along with Auth-Key .

  • This Auth-Key randomly generated after calling /api/authenticate and stored in the users table with a specific user record, the md5 hash of the remote ip + user agent provided by the client.

  • For each request, the Auth-Key value and the md5 sum mentioned are requested by users . If a valid user is found that has been active for the past N minutes, the user will be granted access, if not: http return code 401.

  • In the REST client, first get an Auth-Key by sending it to /api/authenticate , then save this value in a variable and send it to every future request.

+17
Dec 19 '11 at 2:28 a.m.
source share

If you want to remain true to the definition of a REST service, then it must be idle and not store any login data (or other contextual) on the server: http://en.wikipedia.org/wiki/Representational_state_transfer#Constraints

Your second approach would fit this model

+3
Dec 19 '11 at 2:06 p.m.
source share

First decide what you protect:

  • Authentication (Knowing who is requesting your service?)
  • Resolution? (Can this person correctly request this service or not?)

I recommend that you provide hashed keys for your service. This way you can manage the key issue separately from the services. Or a client key and a secret, Amazon does it.

Itโ€™s always easier for the client if you have a stateless protocol. And send everything through the parameters, cookies also bother the client.

Remember that interest is that itโ€™s as easy as possible to use potential developers to use your service. A super-secure service that no one uses is boring.

You can let customers choose the level of security by giving them the choice of HTTP or SSL / HTTP endpoints to connect to. Choosing a customer is good.

+1
Dec 19 '11 at 2:34 a.m.
source share

I am not a security specialist. I am using RESTful Play! -webframework, and they perform the following steps to authenticate users.

  • Cookie is protected from manipulation. It is signed with a long secret key and is checked for each request. Just hashing is not enough !
  • They recommend setting unique information that identifies the user in a cookie. Since the server should be the only one that can manipulate the cookie, enough.
  • Do not enter the password as credentials in the cookie . If someone sniffs cookies, not only the session can be hijacked, but also a full account or, even worse, other accounts with the same credentials.

If you want to protect your cookie from theft using https.

0
Dec 19 '11 at 2:22 a.m.
source share

  • Log in by first sending credentials to the / login page using POST. The page sets the session cookie in which the user is marked at the login, along with the permission level. For each subsequent request, I verify that the user is logged in and his / her permission level. When the session expires, automatically or manually (logout, the user will have to re-login).

  • Temporarily storing credentials stored on the local network and sending user credentials for each individual user request to verify credentials and permissions based on the request.

In your first approach there is no meat restriction of statelessness REST. You cannot support server-side client sessions. This limitation makes REST very scalable ...

Your second solution is right. The easiest way to use HTTP basic auth. You do not need to specify a password on the client side. You need an encrypted connection. On the server side, you can have the cache [username, password] -> [identity, permissions] , so this solution is much faster and superior to all others than server-side sessions.

From third-party (unreliable) clients, authentication is more complicated, I think you do not need this part.

0
Sep 07 '14 at 12:26
source share


More articles:


All Articles