26

So, I'm developing a REST webservice using RESTeasy and Google App Engine. My question isn't related to GAE, but I mentioned it just in case it matters. It happens that naturally I need to secure my resources and my own users (not Google's).

Securing a REST webservice seems like a very controversial subject, or at least a very 'liberal' one. REST doesn't impose any standard on this matter. From what I've researched on the web and literature, there are at least 3 approaches that I think might fit in my application:

  • HTTP Basic (with SSL)
  • HTTP Digest (with SSL)
  • OAuth

OAuth seems like the most complete approach. But I don't think that such a complexity is needed because I will not need to authorize any 3rd party applications. It is a webservice to be consumed by my own client applications only.

HTTP Basic and HTTP Digest appear as the most simple ones on the web, but the fact is that I've never found a concrete implementation of them using RESTeasy, for example. I've found this page and this one in RESTeasy's documentation. They are indeed very interesting, but they tell little or nothing on this subject (HTTP Basic or Digest).

So, here I am asking:

How do I secure my WebService using HTTP Basic or Digest in RESTeasy?

Perhaps it is so simple that it isn't worth mentioning in the documentation or anywhere else? Also, if anyone can provide me some insight on the matter of securing RESTful webservices, it could be helpful.

Am I choosing the right approaches?

casperOne
  • 73,706
  • 19
  • 184
  • 253
miguelcobain
  • 4,734
  • 4
  • 32
  • 45
  • Take a look at http://stackoverflow.com/questions/6296740/authentication-in-play-and-resteasy – Gerhard Schlager Jan 09 '12 at 09:37
  • 1
    Sorry, but you are doing a few things wrong here. 1) you updated the question with an answer/partial answer. If you have found the answer which is *not* provided by anyone else, you should add that answer and mark it as accepted. If someone else provided the answer, then you should mark *that* answer as accepted. 2) If you have an *additional* question, then ask *another* question, do not *add* to your question which will invalidate the answers already given. – casperOne Jan 12 '12 at 14:08
  • 1
    @casperOne, you are right, sorry. This was my first question here in Stack Overflow. Thanks. – miguelcobain Jan 15 '12 at 14:47
  • @miguelcobain Not a problem, everyone can use a little help when starting out. =) Use SO the way it's intended and it will work out great for you. Enjoy! – casperOne Jan 15 '12 at 15:33

4 Answers4

6

The simplest way to secure a REST API is to use HTTP Basic authentication over SSL. Since the headers are encrypted there is not much point of using Digest. This should work great as long as you can keep the password secure on the client(s).

Luke Francl
  • 31,028
  • 18
  • 69
  • 91
  • Yes, that I understood and it is explained in the question. But thank you for clarifying. The question is which is the best way to implement it using RESTeasy. – miguelcobain Jan 10 '12 at 00:08
  • Sorry, that's what I get for skimming. There's some junk in the first link about ``BASIC`` but I don't see how to configure the username/password. Maybe you should re-tag this as "java" so more people see it. – Luke Francl Jan 10 '12 at 01:29
  • Yes, that was the only thing that I saw too. I will need to use my data backend to store and retrieve the users. I've added the tag "java". – miguelcobain Jan 10 '12 at 10:03
6

I've managed to accomplish this by using RESTeasy's Interceptors. Basically the requests are intercepted by using a listener like class. In this class I inspect for the request's HTTP headers and then the normal Basic-Auth process goes on.

Useful links:

http://en.wikipedia.org/wiki/Basic_access_authentication
Passing parameters in the message header with a REST API
http://www.alemoi.com/dev/httpaccess/ (the Servlet part)

I hope this helps anyone.

Thanks.

Community
  • 1
  • 1
miguelcobain
  • 4,734
  • 4
  • 32
  • 45
  • I'd just like to add that sometimes using the authentication engine from the container might be more appropriate. For tomcat see [this page](http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html) about **realms**. – miguelcobain Dec 17 '12 at 17:02
  • Also, don't forget to consider Spring Security and Apache Shiro! – miguelcobain Feb 13 '13 at 10:21
1

you will definitely face a security risk when using any authentication method without SSL.

but if you did use SSL, you will usually suffer from a poor performance.

Oauth is actually a solution to allow 3rd party to obtain access to your webservices.

due to the limited selection, my solution to a current webservices that require authentication used the combination of SSL+basic

ligerdave
  • 714
  • 2
  • 6
  • 13
0

You might look at using OAuth 2. It is significantly simpler then OAuth 1 and is actively being used on large REST API by Facebook and Google.

abraham
  • 46,583
  • 10
  • 100
  • 152
  • 1
    I think it's good to use OAuth 2 if the end-users will have to authorize access to third party applications (as is the case with FB), but if the client of the API is his own application and they are part of the same ecosystem, I think OAuth is not needed. – luben Jan 09 '12 at 07:38
  • Like @Lyuben said, the only applications that will consume this service are my own. Why should OAuth be suitable in this case? – miguelcobain Jan 09 '12 at 21:29
  • I read "to secure my resources and my own users" to imply that you had users that would be using OAuth. If you are the only consumer than OAuth is overkill. BasicAuth would be fine. – abraham Jan 09 '12 at 22:22
  • Yes, that is what I thought. The real question here is how to implement it in RESTeasy. Its documentation merely "scratches the surface" on this matter. JBOSS could really have done better on this. But it is a great framework anyway. – miguelcobain Jan 10 '12 at 00:10