Geek Answers Handbook

RESTful Service Authentication

According to the REST specification, the service must be inactive; but then it becomes difficult to enable authentication. Some of the materials I read say that "making REST stateful is not the end of the world." But that is not the point; the point is to follow the specifications and be consistent.

So, I am asking this question here in the hope that someone can lead me in the right direction. I am working with Spring MVC to create a REST service. I have no views. This is a true REST service that consumes / produces JSON. I need to have an authentication mechanism (and authorization along the way) for this application, which is stateless and follows REST specifications. The client will be written in JavaScript (Backbone.js, CoffeeScript) and will accept the username / password from the user. He will then send this information to the server.

How can I get true authentication without authentication (and authorization) in a Spring based application?

Is SSL authentication digest the way to go?

+8
authentication rest spring-mvc authorization restful-authentication
source share
3 answers

Session management is different from state management.

The server side during the handshake can generate a token, and each time the client makes a call, he will have to add this token either to the head or to the place where your server can analyze and decide whether to allow the call to continue.

The server does not need to maintain any state in order to verify the authenticity of this token, which can be executed using some algorithm.

+2
source share

Have you learned how Spring Security works? Using Spring Security, I was able to add custom HTTP authorization headers from the client in a REST request. This is the extracted server side, the requesting user is authenticated, and access to certain resources can be allowed.

+2
source share

You can use Basic or Digest authentication over SSL, none of which implies anything substantial in state. There may also be a cookie sent by the server, which your client will have to send back when he will request additional requests (I believe that the Javascript code will handle all this for you). Other authentication mechanisms are possible, but they are more complex and not necessarily appropriate. (Another keyless rule is authentication with SSL, but this requires that the client client keyboard is installed in the browser and that the server knows what this identity means, and this is a rather difficult task to deploy.)

On the server side, use Spring Security, as this makes it easy to handle all of this. It works well with Spring MVC.

+1
source share

More articles:


All Articles