4

I have implemented a win service. I 'd like to extend it to have some features enabled via REST. I have implemented it using WCF rest features and it works as I want. So far so good.

My problem is security and authentication. As I know there is no 'one way' for authentication I have read several articles about it...also here and other forums, blogs over the internet...and I'am totally lost. I have read pros and contras about SSL, OAUTH, HMAC and so on.

The feature I need is to authenticate user somehow, user name/password would be the best way for me.

These users are coming from internet browsers, but later I plan to have some more clients in the future, like Android or IPhone apps.

So, which do you think the best (and simplest...) way to authenticate a user for a rest protocol?

Thanks!

.Net4/WCF/Visual Studio 2010

Tom
  • 3,899
  • 22
  • 78
  • 137
  • It'd be worth having a read through this SO question: http://stackoverflow.com/questions/454355/security-of-rest-authentication-schemes – Russ Clarke Aug 23 '11 at 14:04
  • Thanks, I have already read earlier it but I did not get clear and straightforward answers – Tom Aug 23 '11 at 14:06
  • Ok, how do you actually intend to authorize your users, are you going to use Windows Authentication or a custom database ? – Russ Clarke Aug 23 '11 at 14:09
  • I have a custom database – Tom Aug 23 '11 at 14:09
  • 1
    Pablo's blog entry has a good example: http://weblogs.asp.net/cibrax/archive/2009/03/20/custom-basic-authentication-for-restful-services.aspx - I've just downloaded the demo project and it looks pretty clear, it provides a way to implement a custom membership provider that you can tailor to use your own database and it excepts user credentials via basic authentication: http://en.wikipedia.org/wiki/Basic_access_authentication – Russ Clarke Aug 23 '11 at 14:15
  • Does not it need IIS? My app is a win service and ai don't plan to use IIS in this project. – Tom Aug 23 '11 at 14:17
  • Ahh ok, sorry - I don't have any experience of that; I've only had to provide authentication through an IIS membership provider. – Russ Clarke Aug 23 '11 at 14:29
  • Thx anyway to try to help me! – Tom Aug 23 '11 at 14:44

3 Answers3

1

So, which do you think the best (and simplest...) way to authenticate a user for a rest protocol?

The simplest RESTful authentication scheme is definitely HTTP basic authentication. Of course, it is not very secure but it can be a first step.

On the server-side, you can do it with zero code, by just setting up an HTTP reverse proxy (Apache, Cherokee or any other).

On the client-side, it is also zero code most of the time (with Java, .Net, jQuery.ajax, plain XMLHttpRequest, etc.).

Aurélien Bénel
  • 3,775
  • 24
  • 45
0

By definition any means of authentication would require per-user state. Even if that state is in the form of a password or api key. But this part of the REST is disregarded by every REST api I have ever used because they all require an API Key. Perhaps REST isn't the best option when security is a concern. Browsers are good at keeping track of session id's and using a session id is more secure than an API key because the value expires. Using a session id is a very secure and proven design pattern although it is "less RESTful". However the overhead requirements are quite minimal.

rook
  • 66,304
  • 38
  • 162
  • 239
0

If you want to authenticate over HTTP for HTTP or REST service, just follow what AWS does. It works, it's in production, there's examples of implementation (both the client and server side).

http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html

Will Hartung
  • 115,893
  • 19
  • 128
  • 203