26

So, I'm developing a REST webservice using RESTeasy and Google App Engine. My question isn't related to GAE, but I mentioned it just in case it matters. It happens that naturally I need to secure my resources and my own users (not Google's).

Securing a REST webservice seems like a very controversial subject, or at least a very 'liberal' one. REST doesn't impose any standard on this matter. From what I've researched on the web and literature, there are at least 3 approaches that I think might fit in my application:

  • HTTP Basic (with SSL)
  • HTTP Digest (with SSL)
  • OAuth

OAuth seems like the most complete approach. But I don't think that such a complexity is needed because I will not need to authorize any 3rd party applications. It is a webservice to be consumed by my own client applications only.

HTTP Basic and HTTP Digest appear as the most simple ones on the web, but the fact is that I've never found a concrete implementation of them using RESTeasy, for example. I've found this page and this one in RESTeasy's documentation. They are indeed very interesting, but they tell little or nothing on this subject (HTTP Basic or Digest).

So, here I am asking:

How do I secure my WebService using HTTP Basic or Digest in RESTeasy?

Perhaps it is so simple that it isn't worth mentioning in the documentation or anywhere else? Also, if anyone can provide me some insight on the matter of securing RESTful webservices, it could be helpful.

Am I choosing the right approaches?

Improve this question
4
  • Take a look at stackoverflow.com/questions/6296740/… Commented Jan 9, 2012 at 9:37
  • 1
    Sorry, but you are doing a few things wrong here. 1) you updated the question with an answer/partial answer. If you have found the answer which is not provided by anyone else, you should add that answer and mark it as accepted. If someone else provided the answer, then you should mark that answer as accepted. 2) If you have an additional question, then ask another question, do not add to your question which will invalidate the answers already given. Commented Jan 12, 2012 at 14:08
  • 1
    @casperOne, you are right, sorry. This was my first question here in Stack Overflow. Thanks. Commented Jan 15, 2012 at 14:47
  • @miguelcobain Not a problem, everyone can use a little help when starting out. =) Use SO the way it's intended and it will work out great for you. Enjoy! Commented Jan 15, 2012 at 15:33

4 Answers 4

Reset to default
6

The simplest way to secure a REST API is to use HTTP Basic authentication over SSL. Since the headers are encrypted there is not much point of using Digest. This should work great as long as you can keep the password secure on the client(s).

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Yes, that I understood and it is explained in the question. But thank you for clarifying. The question is which is the best way to implement it using RESTeasy.
Sorry, that's what I get for skimming. There's some junk in the first link about <auth-method>BASIC</auth-method> but I don't see how to configure the username/password. Maybe you should re-tag this as "java" so more people see it.
Yes, that was the only thing that I saw too. I will need to use my data backend to store and retrieve the users. I've added the tag "java".
6

I've managed to accomplish this by using RESTeasy's Interceptors. Basically the requests are intercepted by using a listener like class. In this class I inspect for the request's HTTP headers and then the normal Basic-Auth process goes on.

Useful links:

http://en.wikipedia.org/wiki/Basic_access_authentication
Passing parameters in the message header with a REST API
http://www.alemoi.com/dev/httpaccess/ (the Servlet part)

I hope this helps anyone.

Thanks.

Improve this answer

2 Comments

I'd just like to add that sometimes using the authentication engine from the container might be more appropriate. For tomcat see this page about realms.
Also, don't forget to consider Spring Security and Apache Shiro!
1

you will definitely face a security risk when using any authentication method without SSL.

but if you did use SSL, you will usually suffer from a poor performance.

Oauth is actually a solution to allow 3rd party to obtain access to your webservices.

due to the limited selection, my solution to a current webservices that require authentication used the combination of SSL+basic

Improve this answer

Comments

0

You might look at using OAuth 2. It is significantly simpler then OAuth 1 and is actively being used on large REST API by Facebook and Google.

Improve this answer

4 Comments

I think it's good to use OAuth 2 if the end-users will have to authorize access to third party applications (as is the case with FB), but if the client of the API is his own application and they are part of the same ecosystem, I think OAuth is not needed.
Like @Lyuben said, the only applications that will consume this service are my own. Why should OAuth be suitable in this case?
I read "to secure my resources and my own users" to imply that you had users that would be using OAuth. If you are the only consumer than OAuth is overkill. BasicAuth would be fine.
Yes, that is what I thought. The real question here is how to implement it in RESTeasy. Its documentation merely "scratches the surface" on this matter. JBOSS could really have done better on this. But it is a great framework anyway.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.