1

Let's say I have some Web API and I want it to use only the users who know the password. And I have a URL like this:

GET http://api.example.com/v1/dog/123

I don't need to much security here. So, it is secure enough to just supply a password like this:

GET http://api.example.com/v1/dog/123?password=myPassword

Of course, it's a plain text and a GET request which is not secure at all. But I can't use https for now (if it would help).

What are the other option for decent but not complicated authentication?

Improve this question

1 Answer 1

Reset to default
1

It seems that an explicit user login would be in order. Once the user is authenticated, authentication cookies in the GET request allow access the resource.

If you web service is in Java, the J2EE container takes care of all this for you. See the following tutorial: http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html. To sum this up, the application server provide protection on a per-resource basis. The server also allows you to chose from multiple methods of authentication (form, basic, ...).

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

but how can a desktop applicaion use cookie?
This is a standard approach for authentication. If the desktop application is a web client (like a browser or a REST client application), then upon attempting to access a remote, protected URI/resource, the client will be required to login. Upon successful login, the server will respond with cookies, one of which corresponds to the user's session (JSESSIONID for a Java server)....
The client, in turn, will include this cookie in subsequent requests to the server. The server will then read this cookie and recognize that it represents an authenticated user, thus providing access to the resource.
The browser comment was just for reference. The behavior of any web client will be similar to a browser (e.g. request/response, include cookies from domain in subsequent requests...)
I see. What data should a cookie contain? It can't contain just isAuth=true because it's insecure.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.