I am developing several RESTful API for 3rd party to call, and these API need authentication (apikey & secret based), and authorization (HTTP method & URI based).
Are there any existing software we can reuse that prevent me from rolling out our own implementation for the security layer?
HTTP gives you granted support for that, so you don't need to reinvent the wheel
Either use:
Auth Digest has advantage, that it does not transmit the passowrd in cleartext and handles replay attacks (with nonces).
We use HTTP Auth Digest (Tomcat servlet container has direct support for it) and we are content with it.
EDIT: Some clients have problems with Digest (not so trivial), so these days I would opt for Basic and SSL. Advantage for Basic is also that you can you preemptive authentication (sending user:pwd in first request).
如果您使用Ruby on Rails(3.2.0或更高版本)构建API,请查看restful_api_authentication gem - https://rubygems.org/gems/restful_api_authentication
Independently of your technology you can implement some system like AWS uses.
Implementation is not too difficult but you need to take into account each request to server requires to query the store to retrieve the SAK. One option is to use a NoSQL DB or similar (like Redis or memcache) to store the userid/sak.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.