8

I am developing several RESTful API for 3rd party to call, and these API need authentication (apikey & secret based), and authorization (HTTP method & URI based).

Are there any existing software we can reuse that prevent me from rolling out our own implementation for the security layer?

Howard
  • 19,215
  • 35
  • 112
  • 184

3 Answers3

7

HTTP gives you granted support for that, so you don't need to reinvent the wheel

Either use:

  • HTTP Auth Basic (with SSL to bypass plain-text password submit problem)
  • HTTP Auth Digest

Auth Digest has advantage, that it does not transmit the passowrd in cleartext and handles replay attacks (with nonces).

We use HTTP Auth Digest (Tomcat servlet container has direct support for it) and we are content with it.

EDIT: Some clients have problems with Digest (not so trivial), so these days I would opt for Basic and SSL. Advantage for Basic is also that you can you preemptive authentication (sending user:pwd in first request).

manuel aldana
  • 15,650
  • 9
  • 43
  • 50
  • I want authorization as well, e.g. some API such as POST http://www.example.com/adduser, I only grant the access to some client. – Howard Aug 20 '10 at 17:10
  • 1
    I see, it then depends on your technology platform you use. If you use java and servlet-container then you can use built-in authorization based on roles. You attach these roles to allowed URLs and therefore can enfore visibilities. You then group a set of clients to roles (i.e. client1+2 belong to role1, client3-6 to role2). If the role base approach is too coarse grained (i.e. each client has different access rules) you need to implement a further authorization layer. But first try whether role security does fit your requirements (easier to implement). – manuel aldana Aug 21 '10 at 12:17
2

If you're building your API using Ruby on Rails (3.2.0 or higher), check out the restful_api_authentication gem - https://rubygems.org/gems/restful_api_authentication

Dave
  • 43
  • 3
0

Independently of your technology you can implement some system like AWS uses.

  • Each registered used must have a userid and a secret access key.
  • Each request must be signed with the SAK and must contain the userid. (Take into account time stamp too).
  • The server, given the userid, retrieves from DB the SAK and signs again the request, if signature much continue, otherwise return an error.

Implementation is not too difficult but you need to take into account each request to server requires to query the store to retrieve the SAK. One option is to use a NoSQL DB or similar (like Redis or memcache) to store the userid/sak.

acanimal
  • 4,800
  • 3
  • 32
  • 41