Implementing Security in REST?

views:

answers:

+1 Q:

Implementing Security in REST?

Hello All,

I am concerned on how to implement security measures may it be Authentication or Authorization.. How can these be implemented.. if you have any thoughts or links that you can share with regards to WCF REST 4.0 Security and if you've implemented it also the better. because ive been trying to find out on this topic all i find is information on how to implement it using 3.5 and lower versions which seem to be different from the samples i see for 4.0 which i tried but did not make sense while implementing it.

Thank you

Because REST is stateless you cannot use a cookie or session id. It is common to use HTTP Basic Authentication and HTTPS for all requests.

Rook 2010-09-15 08:30:31

Thanks for this article, So I get the result of the Base64 encoded, which results to ex: QWxhZGRpbjpvcGVuIHNlc2FtZQ== Then how to i parse this back to get the username and password that I passed in here. Can this be implemented in all methods(Get, Put, Post and Delete) Thanks

Ravi 2010-09-15 09:23:08

@Ravi Are you asking for a base64 decode function? Yes, http header elements like the authentication element can be sent with all HTTP methods.

Rook 2010-09-15 18:21:43

@Rook thanks for you reply. Yea the base64 function to implement the HTTP Basic Authentication and HTTPS you said in your comment.

Ravi 2010-09-17 04:28:10

@Ravi what? SO doesn't write code for you. And basic auth already exists for every http dev platform. (http://msdn.microsoft.com/en-us/library/ms733775.aspx)

Rook 2010-09-17 06:33:17

Ive found out how i can pass this:private HttpClient m_RestHttpClient = new HttpClient("http://localhost:17471/ProductService/"); m_RestHttpClient.TransportSettings.Credentials = new System.Net.NetworkCredential("admin", "admin");

Ravi 2010-09-17 10:22:07

But how can I get these values in the server side code of rest?

Ravi 2010-09-17 10:22:52

Hello Rook, I implemented security in the client by passing the username and password this way: m_RestHttpClient.TransportSettings.Credentials = new System.Net.NetworkCredential("admin", "admin"); My concern now is how can i extract this network credential in the server side

Ravi 2010-09-20 05:41:45

@Rook Hopefully you understand what im trying to do here.. basically just pass these parameters into the server side, so I can authenticate the user without passing them as uri strings. Thank you

Ravi 2010-09-21 08:42:53

+1 A:

You might want to explore this solution for WCF REST, it is a interceptor for implementing basic authentication with a custom user database.

http://weblogs.asp.net/cibrax/archive/2009/03/20/custom-basic-authentication-for-restful-services.aspx

That interceptor authenticates the user with a password, and initializes the current principal, so you can use that one from the service itself for doing authorization or implement an IAuthorizationManager if you want to have that logic as something reusable across several services.

You will also find some other authentication methods in my blog, like certificate authentication or OAuth, which are less common.

Thanks Pablo.

2010-09-15 17:21:36

Hello Pablo, I implemented security in the client by passing the username and password this way: m_RestHttpClient.TransportSettings.Credentials = new System.Net.NetworkCredential("admin", "admin"); My concern now is how can i extract this network credential in the server side

Ravi 2010-09-20 05:42:09

ansaurus

tags:

views:

answers:

Implementing Security in REST?

related questions