tags:

views:

136

answers:

4
+1  Q: 

Securing a REST API

I am in the middle of developing a PHP social media web application which will be supported by various web services each operating a REST API. Web services will probably be implemented in Java with MySQL data layer but the whole point of what I am trying to do is make it really easy to implement modules in different languages/data stores depending on what is approriate.

So for example when the user logs into the application via a login form the PHP code connects to a web service and POSTs the username and password to check if they should be authenticated. I would normally at this point start a session and store it in a session data store.

Another example could be if a user sends a private message to another user. The message would be POSTed to the private messaging web service which would take care of all the storage. Similarly the web service could be contacted to retrieve messages for a user.

Although I understand how to implement the REST web service in Java and make the connection to it in PHP I am totally unsure as to how to secure the data being passed and make sure that it is the users data being returned. If for example I want to get all of user As private messages how does the web service know to return that users. I could pass that users identifier as part of the GET url but then surely any old user could just figure out the GET url and use it to look up other peoples messages. I thought maybe I could pass over the session identifier and IP address which would allow me to check the session data store and make sure it is the correct user?

To secure the data that is important - like the username/password I thought I would just pass it over SSL.

Hope this explains my problem better.

Thanks

A: 

These are basically 2 questions.

When privacy is a concern I'd go for the safest option: Serve data over SSL (via HTTPS).

As far as authentication is concerned, there are several possibilities. Basic over SSL is one of them, but a simple login form with a cookie can be another one. (ASP.Net Forms Authentication for example.) This all depends on how you want to implement your authentication mechanism.

Jeroen Landheer  2010-04-20 15:19:41
A login form isn't appropriate for a API.
Matthew Flaschen  2010-04-20 15:58:32
A: 

I think requiring OAuth is a good choice. Your end users should appreciate that other websites don't need to ask usernames and passwords to access their data. As far as SSL, it's clearly worth doing if you can. You'll have to see if the performance trade-off is acceptable.

Matthew Flaschen  2010-04-20 16:01:17
A: 

Keep in mind that your api must mimic the HTTP protocol.

Http is stateless, and by adding any Sessions or so, you're trying to fake an "Alwaysconnected" method.

With a LoginForm, it's like I'll have to send two requests for each calls ;)

dzen  2010-04-20 16:57:22
So if I have a web application where users are logging in - I would normally create a session which would be stored in a database. My plan here was to use PHP simply as the final part of the page construction. So the web app would make calls to multiple restful web services to get all the data. But depending on who you are logged in as it would depend what data you got back. So I thought you would have to authenticate somehow with the web service so that it knew who you were. Are you saying that because the HTTP protocol is stateless it wouldnt be approriate to use REST for this?
Christopher McCann  2010-04-20 20:25:51
To my mind, an api must be simple by its implementation, its names ... By using Session, you constraint developers to have a cookie mechanism isn't it ?If you just use HTTP authentication, something useing http://php.net/manual/en/features.http-auth.php would probably suffice.
dzen  2010-04-20 21:19:26
thanks very much
Christopher McCann  2010-04-20 21:56:34
+2  A: 

Take a look at HTTP Digest authentication. Most clients should support it, and it means the auth details can be passed securely with each request as part of the headers without interfering with the payload of the request itself.

Ciaran McNulty  2010-04-22 06:46:44

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?