Geek Answers Handbook

What is the preferred method for authenticating web page users in RESTful?

I am developing a new experimental web application framework and I decided to give RESTful some attention. I read about the basic principles and feel that I have a pretty good understanding of RESTful as a concept.

My system works and works, using URLs strictly to define "nouns" in the system and I take "verbs" from HTTP request methods. I use javascript ajax calls to provide access to the DELETE and PUT methods that HTML forms cannot provide. (I understand that these measures do not have to be RESTful, but it satisfies the requirements of the "Uniform Interface").

The problem is the lack of state and authentication caching. The standard model of user authentication on websites includes an “login” authentication event, after which (if successful) the user is “inside the wall” with a constant secure session and can see and do something in subsequent requests that may be unauthenticated users. This authentication strength seems to violate RESTful-ness. Caching and statelessness seem to be violated because the authenticated user is likely to see HTML that is different from what the unidentified user sees for the same request (for example, there may be a login form in the sidebar for the log, user) .

Using www-authenticate strategies to authenticate a user only on requests requiring authentication seems to be a step in the right direction, since it does not include the concept of a permanent secure session. However, the question still arises of how to portray the “login” for the end user in accordance with what we all expect from websites.

So, in current thinking, what is the preferred way to handle authentication and web page resolution in a strictly RESTful way, while maintaining permission to enter the layout in HTML?

+6
authentication rest web-applications stateless
source share
7 answers

This persistent authentication seems to violate RESTful-ness

Instead of authenticating the user, you might consider creating a session. You will be returned a new “session ID” along with the corresponding HTTP status code (200: OK, 403: Forbidden, etc.).

The user is likely to see HTML that is different from the one that the unidentified user sees the same request.

You ask your REST server: "Can you get the HTML (or any resource) for this session ID?". HTML will be different based on "Session ID".

With this method, there is no wall for "permanent safe sessions." You just play in the session.

A noun (or resource) will represent the actual session if you choose this method.

+3
source share

"The standard user authentication model for websites includes an" login "authentication event, after which (if successful) the user is" inside the wall "with an ongoing secure session"

  • This is not entirely correct. This is partly true, but only for websites that invent their own authentication.

  • If you use digest authentication, the browser must send credentials with each request.

Digest authentication - credentials with each request - completely RESTful.

Do it.

To make things a little more streamlined, you can calculate Nonce digest authentication based on time so that it is useful for a period of time (6 minutes, 0.1 hours is good). Within a few minutes, the request sends status 401 and requires a digest recount.

+4
source share

One option for storing caching in intermediaries for pages with custom elements is to add custom markup through Ajax. You cater for every use of the same page, including some JavaScript that will execute an XHR request for a resource that returns something else depending on the user's input. Then you combine this into a client side page. Most of the page will then be cached, as it is the same for each user.

Another option is to use ESI (Edge Side Includes). At the same time, the cache itself can combine various representations to create the final result.

+2
source share

I think of it this way: The “essence” in user authentication is a session. Thus, your login form uses the POST request to “create” a new session, and the DELETE request to “delete” the session is used to exit the system.

I know what you mean by persistent authentication, going against RESTfulness, but cookies (which give the illusion of persistence) are simply part of every request.

+1
source share

"This persistent authentication seems to violate RESTful-ness. Caching and statelessness seem to be broken because the authenticated user is likely to see HTML that is different from what the unidentified user sees for the same request."

This is normal if the presentation of the resource is slightly different based on the authentication information. Authentication is part of the message, and therefore the message is still "self-describing." It’s clear that you still get access to the same resource, and the edit and delete links are allowed, not the additional data parts. Controlling which transitions are available based on who accesses the resource seems right to me.

+1
source share

Re: Daniel replied:

If a session is a temporary object that is quickly deleted, it is not very cached, since any cache you create will have a useful life, possibly one day, but will continue to use the cache space anyway.

Wouldn't it be better to create a USER as an object and authenticate using digest authentication (or, if necessary, a cookie). Thus, each user gets their own permanent cache, not a cache that lasts a day and disappears.

It also makes more sense to me, because you create a page that looks different depending on the USER user (adding "hello [name]", etc.) and the difference between "logged in" and "logged out system "" depends on whether the user is included in the URL. Regardless of whether a particular person is granted access to this user URL, whether he can authenticate as that user.

+1
source share

If your RESTful environment will be used only by your web application and will not be used as an API for third parties, I see no reason why you cannot use the same authentication scheme as the rest of your application. You can think of this authentication as a level lower than the “application” level. The application layer can still remain stateless in a clean RESTful way.

Of course, if you plan to create a RESTful web API, you will need to think about it.

0
source share

More articles:


All Articles