I agree that it's a mess. I guess you could even use HTTP Digest and
HTTP Basic Auth for authentification. Bit.ly use a username and API
key system, but like CampaignMonitor, it's over HTTP so if someone
sniff your trafic, you're toast.
It look like API keys are the way to go for public-but-not-dangerous-
for-your-image services like Bit.ly, and HMAC + HTTPS is the way to go
for more secure REST services.
First, Wonder's ERRest.framework rocks! Thank you again Mike
Schrag! .... and that is not my first time saying that in the last
couple of days :-)
Second, I would like to get some opinions on REST authentication
approaches. There seems to be a plethora of approaches out there.
Probably the "easiest" for us WO devs is to make the user call a
https login URL first to authenticate with userid, password and if
successful, hand them back a response with Session cookie and just
use https and existingSesson in cookie in our ERX route request
handling for the duration of the session. While easy for us, this
might be a little inconvenient for the client developer though since
they must now manage their session key and handle retries if the
session has timed out, etc.
So, if I were trying to get really simple (for the client/client-
developer) stateless REST authentication, whereby the client did not
have to maintain a session and every request has the authorization
aspect, then what are the best approaches? Anyone have any hands-on
experiences to share?
The simplest approach seems to be the API Key, but it seems a little
insecure ..... like a permanent session. For example these guys use
an api key and, if I am not mistaken, it seems they use it over
HTTP, so any traffic sniffer could pick it up: http://www.campaignmonitor.com/api/method/campaign-create/
Nevertheless this is obviously the easiest way for a client to
interoperate I would think..... and if done over https, then it
should be both secure and easy for a client implementation? Thoughts?
Then you look at Amazon's authentication. That seems like a very
secure solution? Any thoughts?
http://docs.amazonwebservices.com/AmazonS3/latest/index.html?RESTAuthentication.html
BTW, the java implementation for generating the ever-changing
Auhtorization code for AWS Auth can be found at:
ERAttachment/Sources/
com.amazon.s3.AWSAuthConnection.addAuthHeader(HttpURLConnection,
String, String)
So, thoughts, opinions?
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/probert%40macti.ca
This email sent to prob...@macti.ca
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
