I am trying to implement session management in my REST service. I came to know these guidelines while surfing :
Not using server side sessions – it violates the RESTful principle.
Using HTTP Basic authentication – Not possible right now, as I am asked not to use SSL/TLS (which is no doubt needed for Basic auth.)
Using Http digest – I heard this increases network traffic. This sounds costly, especially when my client is a mobile device.
Using cookies – I am told I should never rely on cookie for securing my important resources, they can be spoofed easily. Plus, I read about cross-site scripting attacks through cookies.
I am left with an option of generating authentication token ,which the user has to send everytime – which I admit is not “entirely” RESTful.
Now I need to know, how should I generate these unique authentication tokens, which are secure enough at a business level ? Is there some library for Jersey ? Should I go for OAuth..I have just read a little about them, are they useful in my case ? Please keep in mind that my target clients are mobile devices – can they access an OAuth service ??
Weblogic- Jersey REST services – using token authentication
I am developing a set of REST services using Jersey on weblogic. The clients will first call a service with username and password to obtain a token. This token will be used to authenticate successive
User authentication on a Jersey REST service
I am developing a REST application, which is using the Jersey framework. I would like to know how I can control user authentication. I have searched many places, and the closest article I have found i
Django Rest Framework Session vs Token Authentication
I’m using DRF, and I’ve enabled Session Authentication so that I can view the browseable API in my browser. In my mobile app, i’m using token authentication. I’m just curious, how does session authent
How can i use google OAuth2 in my Jersey REST Web Service
I am developing Web Service using REST Jersey. For user access and authentication i have to maintain session throughout application (like Servlet).I have planned to use google OAuth 2.0. How to apply
How to secure the Rest webservice by token based authentication?
I have created few rest services using jersey implementation. In security concerns, service can invoke by any one. So I decided to use the token based authentication system. I wrote one filter in spri
Rest token authentication with HTTP header
This is an existing system with a login screen, now I expose some services as REST service. I build an authentication-token login system for this Rest(jersey) service. User sends username-password the
how to do authenticate in REST web service using jersey and java
how to do authentication in REST web service using jersey framework and java? I used NetBean IDE and create Rest web service, the application server is glassfish. I don’t use javadb or derby. My datab
Session Management in REST Service applications
After going throught lot of comments from different people about session management for Rest supported applications, here what I have thought of doing. My application can be accessed from Browser (as
REST Web Service authentication token implementation
I’m implementing a REST web service using C# which will be hosted on Azure as a cloud service. Since it is a REST service, it is stateless and therefore no cookies or session states. The web service
Java REST service using authentication token
On my web app using Java EE 6. I want to expose some of my functionality as a Json Rest Service. I want to use authentication tokens for login, User will send their username, password and server will
String key = UUID.randomUUID().toString().toUpperCase() + "|" + someImportantProjectToken + "|" + userName + "|" + creationDateTime; StandardPBEStringEncryptor jasypt = new StandardPBEStringEncryptor(); ... // this is the authentication token user will send in order to use the web service String authenticationToken = jasypt.encrypt(key);
The key contains the creationDateTime so that I can use it to verify the time-to-live. This way, if the user uses the same authentication token after X minutes, it will not work anymore, and I’ll send back a 403 forbidden code.