All geek questions in one place

How to Protect RESTful Web Services (PROVIDER)

I need Restfull secure services in a provider. I want the user to have authorization to use the REST service, and I can generate the use of stadistic or just not allow the call of REST services if he is not a register developer.

I thought that the user sends e-mail and password for URL-address (http://autor.derf.com/api/search/ email?=dsdfd@gmail.com & the passwd = dasffsdf;), but isnt very safe.

I also read about oauth 2.0, but the documentation is very bad for Java.

Is there any other way to have a RESTful api with authorization?

I want to access Restfull API via Iphone, Android, Windows Phone and web.

Thank you in advance;)

+1
source share
1 answer

If you plan to write all the clients for the service yourself (iPhone, Android, etc.), then sending email and a password is a worthy alternative if the provider exchanges data through a secure transport layer (for example, SSL / HTTPS).

You can always add OAuth 1 or 2 support later if you think you want your APIs to be publicly available. (The whole idea with OAUth is to protect user passwords, as well as to gain more granular control over which APIs the client can use and for how long).

But in your case, I would at least think about using basic authentication, in which a typical HTTP request looks something like this:

GET /path/to/api HTTP/1.1 Host: www.example.com Authorization: Basic aHR0cHdhdGNoOmY=

The hash after "Basic" is simply base64 encoded "username:password" , or in your case "email:password" . If someone intercepts this, it's easy just not to code to get the user credentials of plain text. Therefore, HTTPS is a must.

& Rdquo; Additional information on basic authentication on wikipedia .

+1
source

Source: https://habr.com/ru/post/1385792/

More articles:


All Articles