Best Security Framework to secure and authenticate an iPhone app which uses REST?

views:

1405

answers:

+3 Q:

Best Security Framework to secure and authenticate an iPhone app which uses REST?

I built an iPhone app which transfers data via a REST web service (Jersey) via JSON objects to a Java middle tier back end...

Question(s):

(1) What is the best way to secure the login / authentication of this iPhone App?

(2) Is there an open source or commercial framework used to acquire this type of functionality?

So far I have come across OAuth, SAML and REST Identity Services

(3) Will this framework require SSL?

(4) Does it validate the client (not just the user)?

(5) Am I going about this the wrong way? Meaning should I just use an encrypted token which is required for every single REST call and install SSL?

Would really appreciate this if someone understands my plight and can help... I know that this can be done somehow on an iPhone app because Bank of America and Amazon have this same type of login feature and security.

Happy coding,

Mike

There are many ways to achieve what you want. There are many technologies that can provide you with the security you need.

I have never worked with java service stuff, but there are technologies out there such as WCF that have a frameworks that can provide you with login/authenticaion methods and allow you to add as much security as you want to your services. You can use SSL etc. You can also write your own authentication stuff if youd like. A good way to pass secure data across the wire for an annonymous access restful service is using signatures, basically you form some sort of string composed usually of method arguments and secret keys and take the md5 hash of can allow you to do authentication in a pretty good way. If I were you I would research the technology I am using to try and take advantage of what they have to provide and start going with that.

Daniel 2009-07-24 01:43:59

I did a demo at JavaOne at the beginning of June that used Jersey on the server, OAuth (via OpenSSO) and a JavaFX client. The code is somewhat experimental, but it might be useful to you - see this blog entry - especially comment #2. There's also a video that explains it at a high level. I used XML, but, since OAuth works at the HTTP level, it should work equally well for JSON.

BTW - there's an Objective C OAuth Consumer implementation - I haven't used it, but Pownce did.

metadaddy 2009-07-26 01:40:07

Excellent! Thank you so much! I will check out your blog entry! One thing I don't understand is that you mentioned OpenSSO. Isn't that different than OAuth?

mw_javaguy 2009-07-27 10:27:40

Outstanding! Would this be possible to do with Eclipse? I noticed your blog entry points to a configuration instructions (README file) and its all based using Netbeans...Thank you again!

mw_javaguy 2009-07-27 10:41:58

OpenSSO is an open source project - it covers access management, federation and secure web services. OAuth is one of the protocols it implements - albeit in prototype form right nowAs far as Eclipse goes - I don't know - there might be Jersey support there, but I'm not sure. Sorry.

metadaddy 2009-08-02 06:58:11

+1 A:

Many SSO schemes rely on url redirects that can be problematic in iPhone apps. Pownce folks tried using OAuth in their app and apparently the experience was confusing to the user. After some research I settled on an approach based on secure WSSE username tokens, the same approach that is used in Atom apps. Enjoy.

Dmitri Tcherevik 2009-08-30 12:34:42

http://developers.sun.com/identity/reference/techart/restwebservices.html

yangjun 2009-10-11 02:12:26

ansaurus

tags:

views:

answers:

Best Security Framework to secure and authenticate an iPhone app which uses REST?

related questions