stackoom
  简体   繁体   中英

Authentication and REST

 原文  2011-08-23 14:01:23       .net/ security/ authentication/ rest

Question

I have implemented a win service. I 'd like to extend it to have some features enabled via REST. I have implemented it using WCF rest features and it works as I want. So far so good.

My problem is security and authentication. As I know there is no 'one way' for authentication I have read several articles about it...also here and other forums, blogs over the internet...and I'am totally lost. I have read pros and contras about SSL, OAUTH, HMAC and so on.

The feature I need is to authenticate user somehow, user name/password would be the best way for me.

These users are coming from internet browsers, but later I plan to have some more clients in the future, like Android or IPhone apps.

So, which do you think the best (and simplest...) way to authenticate a user for a rest protocol?

Thanks!

.Net4/WCF/Visual Studio 2010

3 answers

solution1
 1 ACCPTED  2013-02-23 09:22:04

So, which do you think the best (and simplest...) way to authenticate a user for a rest protocol?

The simplest RESTful authentication scheme is definitely HTTP basic authentication. Of course, it is not very secure but it can be a first step.

On the server-side, you can do it with zero code, by just setting up an HTTP reverse proxy (Apache, Cherokee or any other).

On the client-side, it is also zero code most of the time (with Java, .Net, jQuery.ajax, plain XMLHttpRequest, etc.).

solution2
 0  2011-09-01 19:17:54

By definition any means of authentication would require per-user state. Even if that state is in the form of a password or api key. But this part of the REST is disregarded by every REST api I have ever used because they all require an API Key. Perhaps REST isn't the best option when security is a concern. Browsers are good at keeping track of session id's and using a session id is more secure than an API key because the value expires. Using a session id is a very secure and proven design pattern although it is "less RESTful". However the overhead requirements are quite minimal.

solution3
 0  2011-09-02 20:25:27

If you want to authenticate over HTTP for HTTP or REST service, just follow what AWS does. It works, it's in production, there's examples of implementation (both the client and server side).

http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question REST WCF Authentication WCF Authentication over REST Calling Rest Api with HTTP authentication Consuming REST Service with WCF - Basic Authentication SiteCatalyst/Omniture Reporting REST API Authentication WCF REST service basic authentication with multiple users Consuming custom REST service hosted inside Sharepoint 2010 with Windows Authentication Handle authentication redirect when consuming REST service in .NET How can I use Windows Authentication with Microsoft.Rest.ServiceClient Why would my REST service .NET clients send every request without authentication headers and then retry it with authentication header?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM