45

I am new to the concept of RESTful API's.

I am designing a RESTful API for an online store.

I have not properly understood the concept of basic HTTP authentication over SSL.

Does it mean that for every request the user will have to enter his/her username and password again?

Can somebody explain in detail how it functions and how it is meant to be used?

Henke
  • 4,445
  • 3
  • 31
  • 44
Kanishk Dudeja
  • 1,201
  • 3
  • 17
  • 33

1 Answers1

71

Basic authentification is just a standard HTTP header with the user and pass encoded in base64 :

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

(http://en.wikipedia.org/wiki/Basic_access_authentication) .If you authenticate your rest API calls by this header over a non ssl conection, the problem is that any man in the middle can decode your username and password from your auth header.

To make sure that your password is sent securely , instead of a normal HTTP connection you must use HTTPS . The only difference between HTTP and HTTPS is that HTTPS is using the SSL/TSL security protocol over TCP/IP instead of plain TCP/IP.

Now this has the drawback that establishing a HTTPS connection is more expensive on the cpu than normal HTTP connection. It is very clear that If you want to authenticate your rest calls on every request with this header you should make your rest API only available to HTTPS connections.

MKroeders
  • 7,562
  • 4
  • 24
  • 39
Ovidiu Buligan
  • 2,784
  • 1
  • 28
  • 37
  • 1
    Will the authorization header have to be sent with every request that goes to the server? – Kanishk Dudeja Oct 12 '13 at 10:24
  • 4
    Yes . Because the Rest api doesn't have state (for ex :logged in user state). I think that for big applications you have to have an authentication module or filter which has state .Or something like OAuth . I would certainly look also to try to understand OAuth 2 for example which is a more complete and general solution for anyone who uses your api. – Ovidiu Buligan Oct 12 '13 at 11:55
  • And will the header be automatically get cached and sent by my browser again and again? Or will i need to send the header by the api code? – Kanishk Dudeja Oct 12 '13 at 11:59
  • you will need to send the header at each request – Ovidiu Buligan Oct 12 '13 at 12:04
  • Ignore my preview comment it seams the browser caches the credentials. Here is a question on the same subject: http://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done-over-https – Ovidiu Buligan Oct 12 '13 at 12:13
  • Okay. Last thing. For the first time too, it is the browser's responsibility to encode it into a base 64 string, right? – Kanishk Dudeja Oct 12 '13 at 13:27
  • yes , you generally don't need to concern about encoding it because you use the a javascript API to set the user and password for the basic authentication – Ovidiu Buligan Oct 14 '13 at 12:52
  • Just want to mention that basic authentication is described in RFC 7617 [https://tools.ietf.org/html/rfc7617] (https://tools.ietf.org/html/rfc7617). It is always worth to refer to a standard. – Michael Chudinov Sep 29 '17 at 11:00
  • This answer is out of date since the solution provided in the wikipedia page has been deprecated. – galactikuh Feb 08 '19 at 15:51