How are REST urls protected?
For example I have a GET URL like https://localhost/8080/user. It will give a list of user. How can I protect this info if someone is accessing it?
Asked
Active
Viewed 356 times
1
Tunaki
- 132,869
- 46
- 340
- 423
Prashanth Subramanian
- 120
- 9
-
You can use any authentication mechanism available to HTTP (and some more from HTTPS). Very common are "access tokens" which you pass along using the Authorization header. – Thilo Sep 11 '16 at 12:13
-
https://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#RESTF115 – Infamous Sep 11 '16 at 12:13
-
Will this security mechanism applicable if am working with angular js to make my views part by invoking url? – Prashanth Subramanian Sep 11 '16 at 12:19
1 Answers
1
From the server's point of view there is no difference between answering a restful service request and answering a page request.
Thus you can use exactly the same mechanisms.
This is valid whatever way the rest service is requested : from an application, from Angular, etc
Concrete example
The most common is to use a login with password authentication, which provides a cookie to user, which is sent together with the request when that request is later issed.
In order to do that you can have a restful API endpoint such as 'login' which will be called by specifying username and password.
It could look like this :
https://yoursite.com/api/login?user=xxx&pwd=xxx
Your server would then check whether username and password are correct, and if so simply answer an almost empty message, but with the following header included:
Set-Cookie: session=yyyyyyyyyy
Later on, your users can query your restful service normally, the cookie will be automatically added to their requests. Your server will be able to check if the session id is valid, and if not deny the resource.
Vic Seedoubleyew
- 9,888
- 6
- 55
- 76