Supplying credentials safely to a RESTFUL API

 

I've created a RESTful server app that sits and services requests at useful URLs such as www.site.com/get/someinfo. It's built in Spring.

However, these accesses are password protected. I'm now building a client app that will connect to this RESTful app and request data via a URL. How can I pass the credentials across? Currently, it just pops up the user/password box to the user, but I want the user to be able to type the username and password into a box on the client app, and have the client app give the credentials to the RESTful app when it requests data. The client is built using Struts.

Cheers

EDIT - I don't think I made the question clear enough. I'm already forcing HTTPS, my question is more, in-code, when I'm requesting data from www.site.com/get/someinfo, how do I pass my credentials alongside making the request?

You more or less have 3 choices:

  • HTTP Auth
  • Roll your own protocol, ideally HMAC challenge/response based
  • OAuth

    • OAuth is currently susceptible to a variation of a phishing attack, one that is largely undetectable to the target. As such I wouldn't recommend it until the protocol is modified.

    OAuth should also be a lesson about how difficult it is to design secure protocols, and so I'm hesitant to reccomend the roll your own route.

    That leaves HTTP auth, which is likely best if you can use it.

    All that said, almost everything on the internet uses form based authentication, and many don't even bother with https for transport level security, so perhaps simply sending the password text in the clear is "good enough" for your purposes. Even still I'd encourage using https, as that at least reduces the dangers to a man in the middle attack.

    If you can add HTTP headers to your requests you can just add the Authorization header: 

    Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

    where you're using basic authentication and the QWxhZGRpbjpvcGVuIHNlc2FtZQ== bit is " username:password " base64 encoded (without the quotes). RFC 2617

    Well, https has nothing to do with authentication, it's just transport-level encryption.

    if you interact with an HTTP api, be it that it's https or not, and the dialog box pops up, it means its using HTTP authentication, either basic or digest. If your client instantiates an http client to read data from those "services", then you can pass those credentials when you instantiate the object.

    If you use client-side script, XmlHttpRequest supports http authentication as well.

    So in terms of code, how you pass the credentials to the RESTful services is dependent on the http client you're using (the object you instantiate to retrieve the data). You can simply collect such a username / password yourself from the client, and use it to call the other service.

    链接地址: http://www.djcxy.com/p/21970.html

    上一篇: 授权和构建RESTful后端的正确方法是什么?

    下一篇: 将凭据安全地提供给RESTFUL API