Restful API authentication recommendation?

views:

answers:

Restful API authentication recommendation?

I am developing several RESTful API for 3rd party to call, and these API need authentication (apikey & secret based), and authorization (HTTP method & URI based).

Are there any existing software we can reuse that prevent me from rolling out our own implementation for the security layer?

+1 A:

HTTP gives you granted support for that, so you don't need to reinvent the wheel

Either use:

HTTP Auth Basic (with SSL to bypass plain-text password submit problem)
HTTP Auth Digest

Auth Digest has advantage, that it does not transmit the passowrd in cleartext and handles replay attacks (with nonces).

We use HTTP Auth Digest (Tomcat servlet container has direct support for it) and we are content with it.

manuel aldana 2010-08-20 15:38:04

I want authorization as well, e.g. some API such as POST http://www.example.com/adduser, I only grant the access to some client.

Howard 2010-08-20 17:10:23

I see, it then depends on your technology platform you use. If you use java and servlet-container then you can use built-in authorization based on roles. You attach these roles to allowed URLs and therefore can enfore visibilities. You then group a set of clients to roles (i.e. client1+2 belong to role1, client3-6 to role2). If the role base approach is too coarse grained (i.e. each client has different access rules) you need to implement a further authorization layer. But first try whether role security does fit your requirements (easier to implement).

manuel aldana 2010-08-21 12:17:17

ansaurus

tags:

views:

answers:

Restful API authentication recommendation?

related questions