Hi, The API can be secured using either BasicAuth or OAuth. WSO2 IS SCIM endpoint is one example.
If BasicAuth used, client side might have to store the username/password. If OAuth used, and the API is accessed via a browser, user can be redirected to the authorization Server to get authenticated, which removes the risk of having user credentials at client side. In either way, SSL should be used to avoid Man-in-the-middle attacks Hope this helps. Thanks Dulanja On Wed, Oct 15, 2014 at 11:18 AM, Ayesha Dissanayaka <aye...@wso2.com> wrote: > Hi all, > > I have implemented ES Publisher REST API in order to access and perform > CRUD operations on ES -BackOffice. > > Each endpoint is authenticated by a valid Session-ID, passed to the > endpoint in request header. > > In-order to obtain a session-ID we have implemented a separate > authenticate REST endpoint. A user can send username and password in the > POST request to this endpoint and if credentials are valid a session-id > will be returned. > > Currently, no encryption or other (basic-aouth/aouth) authorization > mechanism is yet implemented. > > What would be the lightweight and best way to secure this 'authentication' > endpoint? Is there a particular wso2 way of doing this? > > Thanks! > - Ayesha > > -- > *Ayesha Dissanayaka* > Software Engineer, > WSO2, Inc : http://wso2.com > <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> > 20, Palmgrove Avenue, Colombo 3 > E-Mail: aye...@wso2.com <ayshsa...@gmail.com> > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Dulanja Liyanage WSO2 Inc. M: +94776764717
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture