REST Secure Authentication

6

I searched and found no solution to the following problem:
How do I track requests in a given REST service?

For example, if I have a blog in which I access my services (insert post, remove post, update post, for example) as follows localhost:80/post/insert/id=1 via application, and if I type this in the browser without making a request via application, I will perform the insertion in the same way. My question is:

How can I ensure that my REST services only respond to my application?

    
asked by diegohsi 22.03.2014 в 19:32

2 answers

5

Since one of the rules of the REST pattern is Um protocolo cliente/servidor sem estado , your request must contain everything what is required to understand the request - which includes authentication. How you do that is up to you. However, I can say that it is appropriate to use, as the request parameters, a user and a token. Traffic using HTTPS , always, for data to be encrypted.

More about the standard here: Wikipedia

    
22.03.2014 / 21:22
4

An alternative is to validate through tokens. Thus, you can even limit the amount of calls from your service. Some Google and Bing services are limited to 5,000 calls per day, from which the user must pay a subscription.

Suggestions:

  • Expiring token to prevent calls after a period of time.
  • username - user-level control.
  • Client IP - controls the source of the call.
  • Password hash - using public / private keys to change password hash.

You have a few more ideas in the links below:

23.03.2014 в 14:57