6

I'm building a restful web-service based on Spring. I'm using Spring Security. It will be accessed only by desktop applications. Basically a machine-to-machine web-service.

  • I want a custom service that does the authentication. Then perform other, more sensitive operations based on the result of the authentication.

  • Another option is to send the credentials in the body of each request and basically do the authentication each time.

Logic says that the first approach would be the most efficient because there is quite some overhead in authenticating each and every time.

What do you suggest related to this? To go stateless or stateful? Are there major disadvantages to the stateful approach?

Up to this point I read some chapters from Java Web Services Up and Running and also several questions from SO such as this.

Community
  • 1
  • 1
Ariel Chelsău
  • 959
  • 3
  • 9
  • 20

2 Answers2

3

The REST way to do this is, as stated in the links you provide, to authenticate on each request, and NOT to keep sessions.

As for authenticating with username/password on each request, it is secure if you can use ... a secure layer (https); else, the pair is sent in clear text and discoverable.

Another option is to use something like the AWS way to do it (Links to Amazon here and here, for example). Here for other explainations : buzzmedia and samritchie

Maybe OAuth is an option, but I don't have experience with it.

jmclem
  • 671
  • 6
  • 12
  • So this is more like a design pattern for security inside REST web-services. My Question is: Isn't this a slower, less eficient? In a SOAP based web-service I'm not aware of some recommendation to avoid sessions. Are there clear advantages to go fully stateless? Thank you! – Ariel Chelsău Jun 18 '12 at 08:04
  • As for performance: I'd say that the few instructions needed to compute a hash, or the few bytes transmitted for auth info are by far irrelevant compared to overall transmission and request processing time. – jmclem Jun 18 '12 at 08:13
  • Yes, request processing time can be a problem. I mean, each time the credentials are passed in, a database lookup has to be done to authenticate the user. – Ariel Chelsău Jun 18 '12 at 08:14
  • 2
    Again: how long is a modern DB request compared to network transmission time? My guess: nearly nothing. I would here first do it properly, the REST way. Then, in case it's slow, do profiling to see what the bottelneck is. It will very probably not be the one DB request for auth. Iff it where, try to optimize. Not before. – jmclem Jun 18 '12 at 08:30
0

To start with REST Service (Client - Server) I will strongly recomend you to use Restlet

Authentication to this REST Service can be defined using ClientResource. Example :

private static ClientResource getClientResource(String uri) {
ClientResource clientResource = new ClientResource(uri);
clientResource.setChallengeResponse(ChallengeScheme.HTTP_BASIC,
        "username", "password"
        );
return clientResource;
}
AzizSM
  • 6,199
  • 4
  • 42
  • 53
  • While I appreciate the suggestion, I would like to know whether sending the username and password for each request is a viable option when it comes to securing a REST web-service. Thanks! – Ariel Chelsău Jun 18 '12 at 06:32
  • You can authenticate through a login resource, and then just check for a cookie on every request. That's how we do it at least – Gonzalo Jun 26 '12 at 14:53