0

So after reading lots about BasicAuth, OAuth, JWT... etc. i came up with this question.

I have a client where some ppl can log in (Authentication is done). When ppl want to do an api call they use the clients GUI and the client is sending some requests to the a webservice endpoint.

host/resources/{id}

//id=path, res=post
public Response updateResourceById(String id, Resource res) {
....

So a typical update call could be

POST host/resources/1234 -d={ some json for a resource }

Now i don't want every user to have all rights for every reosurce, so i would need to add some info about the user who is doing a request.

For this i was thinking to use some JSON Token with some payload (or any user info at all). But i was wondering how to send this token correctly in a RESTful API.

My first idea would be to change the code to something like this:

//id=path, token=post
public Response updateResourceById(String id, Token token) {
...

The endpoint would not change only the POST data.

Would this be correct or are there other approaches?

Edit: Also possible would be sending the Token via HTTP Header.

Gobliins
  • 3,848
  • 16
  • 67
  • 122
  • 1
    Two ideas to keep in mind is either use cookies that encode which user is doing the request and then filter out the user's rights in the backend or use other HTTP-headers to transmit the auth token. – Johannes Jander Feb 12 '16 at 09:53

1 Answers1

1

Sending credentials in HTTP

In HTTP, the credentials should be sent in the standard HTTP Authorization header.

Have a look at the RFC 7235, the current reference for authentication in HTTP 1.1:

4.2. Authorization

The Authorization header field allows a user agent to authenticate itself with an origin server -- usually, but not necessarily, after receiving a 401 (Unauthorized) response. Its value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.

Authorization = credentials

[...]

Please note that the name of this HTTP header is unfortunate because it carries authentication data instead of authorization. Anyways, this is the standard header for sending credentials.

In a token based authentication, the tokens are credentials. In this approach, hard credentials such as username and password are exchanged for a token that is sent in each request to identify a user.

It never hurts to say that you should use HTTPS when sending sensitive data, such as credentials, over the wire. HTTPS will protect your application against the man-in-the-middle attack.

Reading the authentication token in JAX-RS

You can read the Authorization header in a JAX-RS application as following and then check if the token is valid:

@GET
public Response myMethod(@HeaderParam("Authorization") String token) {
    ...
}

However, a better approach would be using a ContainerRequestFilter, keeping your endpoints leans and focused on the business logic. For more information on token based authentication and on how to use a ContainerRequestFilter, have a look at this question.

Community
  • 1
  • 1
cassiomolin
  • 124,154
  • 35
  • 280
  • 359
  • 1
    I would add that one should consider using a secured connection – Louis F. Feb 12 '16 at 10:18
  • do you know how a swagger yaml/json file must look to get header parameters in methods – Gobliins Feb 12 '16 at 15:23
  • @Gobliins I don't have this information from the top of my head and it seems a different question for me. Hence, consider asking a new one. But you can have a look at this [answer](http://stackoverflow.com/a/35270568/1426227) and at this [answer](http://stackoverflow.com/a/33672270/1426227) to have some inspiration on how to use Swagger with JAX-RS to send the `Authorization` header. – cassiomolin Feb 12 '16 at 15:39
  • Is it possible to put multiple infos in the authorization header? – Gobliins Feb 19 '16 at 12:34
  • @Gobliins Consider using JWT tokens, so you can store whatever you want in the token. – cassiomolin Feb 19 '16 at 12:48