All geek questions in one place

Authentication in a RESTful Web Service

I am creating a calm Spring based web service. I am using Spring Security. Access to it will be available only for desktop applications. This is basically a car-to-machine web service.

  • I want the user service to authenticate. Then perform other, more sensitive operations based on the authentication result.

  • Another option is to send the credentials in the body of each request and basically authenticate each time.

Logic says that the first approach would be most effective because there is a certain overhead of authentication each time.

What do you suggest in this regard? Go stateless or stateless? Are there any serious shortcomings for a health-based approach?

Until now, I have read several chapters from Java Web Services Up and Running, as well as several questions from SO, such as this .

+6
source share
2 answers

The REST way to do this is, as indicated in the links that you provide, to authenticate each request and NOT to conduct sessions.

As for authentication with username / password for each request, it is safe if you can use ... secure level (https); else, the pair is sent as plaintext and detected.

Another option is to use something like AWS for this (Amazon links here and here , for example). Here for other explanations: buzzmedia and samritchie

OAuth may be an option, but I have no experience with it.

+3
source

To get started with REST Service (Client-Server), I highly recommend that you use Restlet

Authentication of this REST service can be determined using ClientResource . Example:

 private static ClientResource getClientResource(String uri) { ClientResource clientResource = new ClientResource(uri); clientResource.setChallengeResponse(ChallengeScheme.HTTP_BASIC, "username", "password" ); return clientResource; }
0
source

Source: https://habr.com/ru/post/918292/

More articles:


All Articles