Secure authentication via REST

Asked

Viewed 3,464 times

6

I searched and could not find solution to the following problem:
How do I control requests on a particular REST service?

For example, if I have a blog where I access my services (insert post, remove post, update post, for example) as follows localhost:80/post/insert/id=1 via application, and if I type this in the browser without making a request via application, I will perform the insertion the same way. My doubt is:

How can I ensure that my REST services will only respond to my application?

2 answers

5

Since one of the rules of the REST standard is Um protocolo cliente/servidor sem estado, your request must contain all what is necessary to understand the request - which includes authentication. How you do this is up to you. However, I can say that it is appropriate to use, as parameters of the request, a user and a token. Traffic using HTTPS, always, so that the data is encrypted.

More about the standard (in English) here: Wikipedia

  • It is recommended/feasible to send the token to header Authorization? And why send also the user? In addition to the possibility to limit the number of calls to the service by the same user as suggested in the other reply, there is some other reason?

4


An alternative is to validate through tokens. Thus, you can even limit the amount of calls from your service. Some Google and Bing services are limited to 5,000 calls per day, from there the user must pay a subscription.

Suggestions:

  • token with expiration, to avoid calls after a period of time.
  • username - user level control.
  • Client IP - controls the call source.
  • password hash - using public/private keys for password hashing.

Have some more ideas in the links below:

Browser other questions tagged

You are not signed in. Login or sign up in order to post.