stackoom
  简体   繁体   中英

REST service through SSL and HTTP Basic Authentication

 原文  2011-09-01 02:03:44       security/ rest/ jquery/ basic-authentication

Question

In Securing an API: SSL & HTTP Basic Authentication vs Signature HTTP Basic Authentication is cited as an adequate way to secure REST web service calls if the REST calls are made through SSL.

But it seems this method will still not work for an unsecured client page that uses Ajax to make calls to the REST service that is protected behind SSL & Basic Auth.

I am trying to design an application that performs password reset using the usual way:

  1. user enters username and requests "reset password" email
  2. user receives email with a password reset link that includes a verifiable token
  3. user clicks on the link and (after the token is verified) types in their updated password

By definition these pages do not require login. Can this UI be implemented using Ajax that calls REST services to do things like validate token, send email, etc.? Even if those REST services are protected behind SSL & Basic Auth, the information that you need to call the service (ie the application's "username" and password) will be at best in cookies which would be accessible through the browser.

I know I am missing something. I just don't know what :-)

2 answers

solution1
 1  2011-09-01 02:41:12

As long as 1 - 3 happen under SSL, the data will be safe over the wire to the server (assuming you trust the certificate authority)

During that process, the browser will hold those credentials in memory. You have no choice but to trust that if the user is going to enter the data.

It is the web sites code that determines whether to store info in cookies.

I think you should be OK if 1 - 3 are under SSL.

solution2
 0  2011-09-01 02:35:30

I've no idea what you're protecting so I'l just toss some thoughts out.

SSL and TLS are not meaningful if you (or someone else who gives a hoot) aren't in control of the root list of the relying party. I say this because I expect that if you don't trust the guy with the key to the lock then you won't put your money in his vault. So if the users loading the login pages are in the wild so to speak then user/pass through TLS is a low bar, definitely good enough for protecting my favorite movies list.

Carby praises to the all being FSM

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Securing a simple REST Service with Basic Authentication Securing an API: SSL & HTTP Basic Authentication vs Signature Calling web service requiring basic http authentication from a bpel process WCF service username/password authentication over HTTP without SSL Jersey Rest Service with HTTP basic security not taking user EventSource and basic http authentication PHP: SSL HTTP Authentication? REST and service to service authentication Is HTTP basic authentication over SSL any less secure than 2 legged Oauth? Is it safe to use basic authentication with localhost service via PHP Curl without SSL?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM