Geek Answers Handbook

Authentication and REST

I have implemented a win service. I would like to expand it to include some functions through REST. I implemented it using WCF rest functions, and it works the way I want. So far so good.

My problem is security and authentication. Since I know that there is no “one way” for authentication, I read several articles about it ... also here and other forums, blogs over the Internet ... and I completely lost. I read about and against us about SSL, OAUTH, HMAC, etc.

I need a user authentication function, username / password is the best way for me.

These users come from Internet browsers, but later I plan to have some more clients in the future, such as Android or IPhone applications.

So, what, in your opinion, is the best (and easiest ...) way to authenticate a user for a break protocol?

Thanks!

.Net4 / WCF / Visual Studio 2010

+4
source share
3 answers

So, what, in your opinion, is the best (and easiest ...) way to authenticate a user for a break protocol?

The simplest RESTful authentication scheme is, of course, basic HTTP authentication. Of course, this is not very safe, but this may be the first step.

On the server side, you can do this with zero code by simply setting up a reverse HTTP proxy server (Apache, Cherokee, or whatever).

On the client side, this is also null code most of the time (with Java, .Net, jQuery.ajax, plain XMLHttpRequest, etc.).

+1
source

By definition, any authentication tool requires the status of each user. Even if this state is in the form of a password or api key. But this part of REST is ignored by every REST api I have ever used, because they all require an API key. Perhaps REST is not the best option when security is a problem. Browsers track the session identifier well, and using the session identifier is safer than the API key as the value expires. Using the session identifier is a very reliable and proven design, although it is "less RESTful." However, the overhead is very minimal.

0
source

If you want to authenticate with HTTP for the HTTP or REST service, just follow what AWS does. It works, it is in production, there are implementation examples (both on the client side and on the server side).

http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html

0
source

More articles:


All Articles