Geek Answers Handbook

How do you pass authorization data with an HTTP GET request in a RESTful system?

This is probably the main question and for some reason, but I'm a little dumbfounded. I design a sedative service that has several pages. When you click on the link, HTTP GET is launched by default.

Now, how can I send authorization data with a request for receipt? Should it be part of the URL? I will be forced to create an ugly url with encrypted request parameters. Is there any way to avoid this?

Is there anything in javascript / jquery that could just send this data “under the hood”, so to speak?

in jQuery, the $.ajax method accepts username, password as arguments so that authorization data can be sent along with the ajax call. Any equivalent for calls without ajax or am I left with just a URL?

The reason for this approach:

  • I want the user to be able to click the back button and return to the previous page. If I made $.get with authorization, and after that with $('html').replaceWith(result) it would disable the back button, right? (i.e. do not show anything)

It should probably be REST 101, but for some reason it bent me into a corner

(FYI: Technology: JQuery / javascript / Restlet / Freemarker)

(PS: Cookies as a last resort. Or is this the best way? :)

+4
source share
1 answer

With GET requests, you are limited to the request headers and the request string / URL of your request. You can use HMAC or OAUTH , where each request is "signed." If you are doing this purely client side, the problem with the shared secret is no longer, not a secret.

Of course, it looks like you are already making POST requests using a username and password (which I am very discouraged by, BTW)

If you need HMAC examples in action, I believe that Amazon does (or does) use HMAC to interact with S3, so there are many code examples.

Ultimately, it is very difficult to get the web client to authenticate without citizenship without revealing any “secret” information, such as passwords or private keys / tokens. You can issue temporary tokens to the user, which are then reserved by checking that the request headers (IP address, etc.) are consistent throughout the token's validity period. If you are disclosing temporary tokens to a client, you probably want your authentication mechanism to include a unique nonce per request as well.

Pure authenticated RESTful authentication is non-trivial if you want the web client to execute requests, so I would not call it REST 101 :)

+2
source

More articles:


All Articles