tags:

views:

471

answers:

5
Q: 

Supplying credentials safely to a RESTFUL API

Hello,

I've created a RESTful server app that sits and services requests at useful URLs such as www.site.com/get/someinfo. It's built in Spring.

However, these accesses are password protected. I'm now building a client app that will connect to this RESTful app and request data via a URL. How can I pass the credentials across? Currently, it just pops up the user/password box to the user, but I want the user to be able to type the username and password into a box on the client app, and have the client app give the credentials to the RESTful app when it requests data. The client is built using Struts.

Cheers

EDIT - I don't think I made the question clear enough. I'm already forcing HTTPS, my question is more, in-code, when I'm requesting data from www.site.com/get/someinfo, how do I pass my credentials alongside making the request?

+1  A: 

Some relevant previous questions that might help you...

http://stackoverflow.com/questions/458482/rest-and-authentication-variants http://stackoverflow.com/questions/319530/restful-authentication

Tim Hoolihan  2009-06-03 13:20:05
This seems useful. The HTTP AUTH thing they mention - is this done explicitly? I don't need to use tokens or suchlike, I need to get this data specifically over to the RESTful app as it uses the credentials later. Can I send these creds directly via AUTH?
mtc06  2009-06-03 13:28:01
yeah, i think i musunderstood and thought you were looking for an auth scheme, not implementing the repeated passing via client. i'm probably not the one to answer that question, as I don't have a ton of java experience, but it might help to post a snippet of how you are calling the rest uri's now. is there an overload that allows passing of basic authentication credentials?
Tim Hoolihan  2009-06-03 13:54:13
A: 

Well, https has nothing to do with authentication, it's just transport-level encryption.

if you interact with an HTTP api, be it that it's https or not, and the dialog box pops up, it means its using HTTP authentication, either basic or digest. If your client instantiates an http client to read data from those "services", then you can pass those credentials when you instantiate the object.

If you use client-side script, XmlHttpRequest supports http authentication as well.

So in terms of code, how you pass the credentials to the RESTful services is dependent on the http client you're using (the object you instantiate to retrieve the data). You can simply collect such a username / password yourself from the client, and use it to call the other service.

serialseb  2009-06-04 13:28:47
A: 

If you can add HTTP headers to your requests you can just add the Authorization header:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

where you're using basic authentication and the QWxhZGRpbjpvcGVuIHNlc2FtZQ== bit is "username:password" base64 encoded (without the quotes). RFC 2617

rojoca  2009-06-05 02:39:40
== shouldn't be in a URL. You can strip it and add it back though by examining the string length and understanding base64 encoding.
Wahnfrieden  2009-07-22 21:24:11
The Authorization header isn't part of the URL. It's a header, and there's no restriction on putting == in a header.
Brendan Berg  2010-04-08 18:31:45
A: 

look at existing solutions. In this case, oauth

Pat  2009-06-05 03:30:03
+1  A: 

You more or less have 3 choices:

  1. HTTP Auth
  2. Roll your own protocol, ideally HMAC challenge/response based
  3. OAuth

OAuth is currently susceptible to a variation of a phishing attack, one that is largely undetectable to the target. As such I wouldn't recommend it until the protocol is modified.

OAuth should also be a lesson about how difficult it is to design secure protocols, and so I'm hesitant to reccomend the roll your own route.

That leaves HTTP auth, which is likely best if you can use it.

All that said, almost everything on the internet uses form based authentication, and many don't even bother with https for transport level security, so perhaps simply sending the password text in the clear is "good enough" for your purposes. Even still I'd encourage using https, as that at least reduces the dangers to a man in the middle attack.

Jason Watkins  2009-06-05 03:41:14

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java