Hi Ayesha, IMO,if you have an intention to expose your API to third party developers best way to secure is using oAuth2 where third party developer can generate his consumer id/secret and generate an API token and use that token to access APIs. Wso2APIM is using that protocol.If you wish can use wso2IS as a token-provider, but I believe in your case basic-oAuth [1] over SSL would be sufficient enough.
And why we need two REST apis here? we can validate user directly in your CURD rest api? [1] http://tools.ietf.org/html/rfc2617 On Wed, Oct 15, 2014 at 11:27 AM, Ruchira Wageesha <ruch...@wso2.com> wrote: > > > On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka <aye...@wso2.com> > wrote: > >> Hi all, >> >> I have implemented ES Publisher REST API in order to access and perform >> CRUD operations on ES -BackOffice. >> >> Each endpoint is authenticated by a valid Session-ID, passed to the >> endpoint in request header. >> >> In-order to obtain a session-ID we have implemented a separate >> authenticate REST endpoint. A user can send username and password in the >> POST request to this endpoint and if credentials are valid a session-id >> will be returned. >> >> Currently, no encryption or other (basic-aouth/aouth) authorization >> mechanism is yet implemented. >> >> What would be the lightweight and best way to secure this >> 'authentication' endpoint? Is there a particular wso2 way of doing this? >> > I assume you need to get a recommendation for securing all the REST APIs, > whether to use OAuth, Basic Auth etc. as you have secured it based on the > cookie, right?? > > Anyway, in order to secure the auth endpoint, you will have to at least > use HTTPS. > >> >> Thanks! >> - Ayesha >> >> -- >> *Ayesha Dissanayaka* >> Software Engineer, >> WSO2, Inc : http://wso2.com >> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >> 20, Palmgrove Avenue, Colombo 3 >> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >> > > > > -- > > *Ruchira Wageesha**Associate Technical Lead* > *WSO2 Inc. - lean . enterprise . middleware | wso2.com <http://wso2.com>* > > *email: ruch...@wso2.com <ruch...@wso2.com>, blog: > ruchirawageesha.blogspot.com <http://ruchirawageesha.blogspot.com>, > mobile: +94 77 5493444 <%2B94%2077%205493444>* > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Roshan Wijesena. Senior Software Engineer-WSO2 Inc. Mobile: *+94752126789* Email: ros...@wso2.com *WSO2, Inc. :** wso2.com <http://wso2.com/>* lean.enterprise.middleware.
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture