REST authentication - Digital signature?

Question

I am trying to secure my REST API developed using Spring MVC.

On google search I came across this link .

Is this the best approach ? Does it uses Digital Certificates ? Or Digital Certificates used only for SOAP based Web services?

Please also point me if there are better alternatives for REST authentication.

Answer 1

Is this the best approach?

What is "best" depends on your requiremements. The benefits of this approach are

• Fairly easy to implement
• No obvious vulnerabilities as long as the Secret Access Key stays secret.

Not so nice:

• Both sides have to know the Secret Access Key, so you as a user must trust the provider of the REST service keeping your Secret Access Key secret. In most cases this is probably not a big limitation, but still ...

Does it uses Digital Certificates?

Nope. No certificates involved. With the exception of the SSL connection that is probably used to give the Secret Access Key to you.

Or Digital Certificates used only for SOAP based Web services?

Not true. You can use https (SSL) for REST, which typically involves the presentation of a certificate by the server to authenticate itself. You can also configure it so that the client has to authenticate itself with a certificate using SSL. This would be a nice solution, but is rather tricky to implement on the client side. It's not rocket science, but reading and understanding the handling of Certificates and private and public keys can be tricky. You'd also need some trusted Root CA, which is either a lot of work to setup or rather expensive to use if you use one of the established ones. I'd consider this approach when I'm working on internal services of a large company. They often already have this kind of infrastructure.

Please also point me if there are better alternatives for REST authentication.

As said above: This is a pretty good approach for most services. Using a PKI with client certificates would be an alternative, better in some settings.

Answer 2

You can simulate public/private key authentication like this

You need two basic things!

1. UserId / Application Id ( To check this application is allowed to access this application) (Private Key)

2. A random key for the API ( to check this method is allowed for the then authenticated application)

The Rest service (Server Side) will have a record of all the allowed application through "Application ID"

Now you can use these two keys in ur own algorithm . For example, you can create a simple HASH out of it.

The scenario would be, you are encrypting your API with a public key ( You API random key). The client who is calling the method, is decrypting with his private key (Application ID)

When the client sends, his Application Id, you can , generate the HASH out of his Application Id and the API random key and make sure that, this application is allowed to call this method.

The Advantages here are: 1. The Server side can change the encryption algorithm, which client need not to be worried about

1. The server can change the method encryption (The public key), which the client need not worry about

2. The Client CANNOT change the private key(Application ID). If he changes, the server will reject it. In other way, a non-registered application cannot access the Rest Service