• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
REST Authentication
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

REST Authentication

  • Subject: REST Authentication
  • From: Kieran Kelleher <email@hidden>
  • Date: Fri, 19 Mar 2010 10:44:49 -0400
First, Wonder's ERRest.framework rocks! Thank you again Mike Schrag! .... and that is not my first time saying that in the last couple of days :-)

Second, I would like to get some opinions on REST authentication approaches. There seems to be a plethora of approaches out there.

Probably the "easiest" for us WO devs is to make the user call a https login URL first to authenticate with userid, password and if successful, hand them back a response with Session cookie and just use https and existingSesson in cookie in our ERX route request handling for the duration of the session. While easy for us, this might be a little inconvenient for the client developer though since they must now manage their session key and handle retries if the session has timed out, etc.

So, if I were trying to get really simple (for the client/client-developer) stateless REST authentication, whereby the client did not have to maintain a session and every request has the authorization aspect, then what are the best approaches? Anyone have any hands-on experiences to share?

The simplest approach seems to be the API Key, but it seems a little insecure ..... like a permanent session. For example these guys use an api key and, if I am not mistaken, it seems they use it over HTTP, so any traffic sniffer could pick it up: http://www.campaignmonitor.com/api/method/campaign-create/
Nevertheless this is obviously the easiest way for a client to interoperate I would think..... and if done over https, then it should be both secure and easy for a client implementation? Thoughts?

Then you look at Amazon's authentication. That seems like a very secure solution? Any thoughts?
http://docs.amazonwebservices.com/AmazonS3/latest/index.html?RESTAuthentication.html

BTW, the java implementation for generating the ever-changing Auhtorization code for AWS Auth can be found at:
ERAttachment/Sources/com.amazon.s3.AWSAuthConnection.addAuthHeader(HttpURLConnection, String, String)

So, thoughts, opinions?
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: REST Authentication
      • From: AndrĂ© Mitra <email@hidden>
    • Re: REST Authentication
      • From: Mike Schrag <email@hidden>
    • Re: REST Authentication
      • From: Pascal Robert <email@hidden>
  • Prev by Date: Re: WOLastic?
  • Next by Date: Re: REST Authentication
  • Previous by thread: [OT] mYprize 4G Global Developer Challenge
  • Next by thread: Re: REST Authentication
  • Index(es):
    • Date
    • Thread