Session management : How to generate Authentication token for REST service ? (Jersey)

I am trying to implement session management in my REST service. I came to know these guidelines while surfing :

  1. Not using server side sessions – it violates the RESTful principle.

  2. Using HTTP Basic authentication – Not possible right now, as I am asked not to use SSL/TLS (which is no doubt needed for Basic auth.)

  3. Using Http digest – I heard this increases network traffic. This sounds costly, especially when my client is a mobile device.

  4. Using cookies – I am told I should never rely on cookie for securing my important resources, they can be spoofed easily. Plus, I read about cross-site scripting attacks through cookies.

  5. I am left with an option of generating authentication token ,which the user has to send everytime – which I admit is not “entirely” RESTful.

Now I need to know, how should I generate these unique authentication tokens, which are secure enough at a business level ? Is there some library for Jersey ? Should I go for OAuth..I have just read a little about them, are they useful in my case ? Please keep in mind that my target clients are mobile devices – can they access an OAuth service ??

Weblogic- Jersey REST services – using token authentication

I am developing a set of REST services using Jersey on weblogic. The clients will first call a service with username and password to obtain a token. This token will be used to authenticate successive

User authentication on a Jersey REST service

I am developing a REST application, which is using the Jersey framework. I would like to know how I can control user authentication. I have searched many places, and the closest article I have found i

Django Rest Framework Session vs Token Authentication

I’m using DRF, and I’ve enabled Session Authentication so that I can view the browseable API in my browser. In my mobile app, i’m using token authentication. I’m just curious, how does session authent

How can i use google OAuth2 in my Jersey REST Web Service

I am developing Web Service using REST Jersey. For user access and authentication i have to maintain session throughout application (like Servlet).I have planned to use google OAuth 2.0. How to apply

How to secure the Rest webservice by token based authentication?

I have created few rest services using jersey implementation. In security concerns, service can invoke by any one. So I decided to use the token based authentication system. I wrote one filter in spri

Rest token authentication with HTTP header

This is an existing system with a login screen, now I expose some services as REST service. I build an authentication-token login system for this Rest(jersey) service. User sends username-password the

how to do authenticate in REST web service using jersey and java

how to do authentication in REST web service using jersey framework and java? I used NetBean IDE and create Rest web service, the application server is glassfish. I don’t use javadb or derby. My datab

Session Management in REST Service applications

After going throught lot of comments from different people about session management for Rest supported applications, here what I have thought of doing. My application can be accessed from Browser (as

REST Web Service authentication token implementation

I’m implementing a REST web service using C# which will be hosted on Azure as a cloud service. Since it is a REST service, it is stateless and therefore no cookies or session states. The web service

Java REST service using authentication token

On my web app using Java EE 6. I want to expose some of my functionality as a Json Rest Service. I want to use authentication tokens for login, User will send their username, password and server will

Answers

For simplicity sake, I generate my own authentication token using UUID before encrypting the entire token with Jasypt:-

String key = UUID.randomUUID().toString().toUpperCase() +
        "|" + someImportantProjectToken +
        "|" + userName +
        "|" + creationDateTime;

StandardPBEStringEncryptor jasypt = new StandardPBEStringEncryptor();

...

// this is the authentication token user will send in order to use the web service
String authenticationToken = jasypt.encrypt(key);

The key contains the creationDateTime so that I can use it to verify the time-to-live. This way, if the user uses the same authentication token after X minutes, it will not work anymore, and I’ll send back a 403 forbidden code.