Stack Overflow
Stack Overflow

Questions tagged [rest-security]

RESTful security tag groups all posts related to securing REST applications

50 questions
840
votes
18 answers

Best Practices for securing a REST API / web service

When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ? When building a SOAP API you have WS-Security as a guide and much literature exists on the…
Nathan
  • 12,290
  • 3
  • 29
  • 28
792
votes
14 answers

RESTful Authentication

What does RESTful Authentication mean and how does it work? I can't find a good overview on Google. My only understanding is that you pass the session key (remeberal) in the URL, but this could be horribly wrong.
Jim Keener
  • 9,255
  • 4
  • 24
  • 24
235
votes
6 answers

Security of REST authentication schemes

Background: I'm designing the authentication scheme for a REST web service. This doesn't "really" need to be secure (it's more of a personal project) but I want to make it as secure as possible as an exercise/learning experience. I don't want to use…
dF.
  • 74,139
  • 30
  • 130
  • 136
40
votes
1 answer

Spring @EnableResourceServer vs @EnableOAuth2Sso

Most of the tutorials I've read so far uses @EnableOAuth2Sso instead of @EnableResourceServer on the API gateway. What are the differences? What the OAuth2Sso does in contrast? Details: I'm implementing a security/infra architecture for spring-based…
André Teixeira dos Santos
  • 491
  • 1
  • 6
  • 6
33
votes
2 answers

JWT (Json web token) Vs Custom Token

I was looking through the questions but I did not find anything which could solve my doubt. I found extensive information about JWT, but not much when comparing the advantages JWT could offer over generating a custom token to authentication requests…
Deibys
  • 619
  • 3
  • 9
  • 18
15
votes
4 answers

Authorizing REST Requests

I'm working on a REST service that has a few requirements: It has to be secure. Users should not be able to forge requests. My current proposed solution is to have a custom Authorization header that look like this (this is the same way that the…
jonnii
  • 28,019
  • 8
  • 80
  • 108
11
votes
2 answers

SSO and REST Api Authentication on multiple Application

at our company we have multiple web applications deployed that are secured through SSO using CAS server. A user requests an url of an application, and if not already authenticated, gets redirected to the CAS server login page. In case of successful…
marco.eig
  • 4,209
  • 2
  • 18
  • 26
9
votes
1 answer

Securing REST endpoint using spring security

I am trying to provide security to the REST endpoints. I am following instructions from this page. In my case I don't have view hence I haven't created controller to specify the views and haven't added viewResolver in my AppConfig.java After…
Kaizar Laxmidhar
  • 859
  • 1
  • 17
  • 38
7
votes
1 answer

Verify http requests from signed jar

I'm writing client for my webapplication, and i signed release jar with my developer certificate, how can i verify that request to rest service was from my signed jar?
ilya.stmn
  • 1,604
  • 5
  • 23
  • 41
4
votes
2 answers

Is this possible to use cognito's Authorization code grant type as a authorizer in the api-gateway?

I would like to know is there any way or possibility to implement authorization code grant type as Authroizer in securing API gateway? As is searched, 'Authorization code' grant type is most recommended for securing API. i found below article which…
umdev
  • 359
  • 6
  • 17
4
votes
4 answers

Secure REST service to consume only by specific android app

My server exposes number of REST services, I want secure the web services such a way that it can be consumed only by the android apps which is owned by me. Essentially both client (android app) and server is developed by me; and I need to expose the…
yottabrain
  • 2,387
  • 5
  • 23
  • 37
4
votes
2 answers

Is it good idea to use encrypted database ID instead of UUID in the web service URL?

Good day, I'v implemented a REST service. In the URL of resource end-point I use ID's which are primary keys of tables of the database. For example http://host/myapp/items/item/4. I'v learned using the database ID in the URL is a bad practice and I…
Vojtech
  • 2,533
  • 9
  • 34
  • 65
4
votes
1 answer

RESTful Authentication with Phone Number Verification Requirement

How would one handle RESTful authentication when authentication is performed with a phone number that must be verified? For example, let's say a user wants to sign in. The user would hit an endpoint with a phone number that would then queue a text…
Baub
  • 5,004
  • 14
  • 56
  • 99
3
votes
1 answer

Why don't APIs use access token instead of refresh token?

I've already seen Why Does OAuth v2 Have Both Access and Refresh Tokens? https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/ As per my understanding, this is how OAuth v2 works: 1) user sends his credentials to the server…
mrid
  • 5,782
  • 5
  • 28
  • 71
2
votes
1 answer

Spring with two security configurations - failed API login redirects to form login page. How to change?

I have a Spring Boot application with two security configurations (two WebSecurityConfigurerAdapters), one for a REST API with "/api/**" endpoints, and one for a web front-end at all other endpoints. The security configuration is here on Github and…
workerjoe
  • 2,421
  • 1
  • 26
  • 49
1
2 3 4