How does authentication work in a RESTFul stateless environment?

5

My question is:

Imagine 3 tomcat servers (s1, s2, s3) and all 3 servers connect to a single sgbd server (s_bd1).

The three tomcat servers run an application that is RESTFul and stateless in nature, so they do not load the user session. here are my two doubts:

1) How is it possible to perform user authentication after the login screen persists between future requests since it can navigate between the 3 servers transparently? (eg an include request is sent to s1 and an update request sent to s2 ..)

2) How will s2 recognize the user if his login was done in s1 and the environment is stateless?

    
asked by anonymous 19.09.2014 / 03:45

1 answer

7

In the case of RESTful, the same mechanisms used in HTTP apply. On the other hand, although many web applications use cookies, it would be strange to use them in an API.

In this way, the most common is to use the Authorization header with its Basic , Digest or Bearer variations.

A very popular option is to use OAuth with Bearer (Bearer Token). The header looks something like this (pseudo-code follows):

string token = "tokenRecebidoViaLoginOAuth..provavelmente_bem_longo";
string authHeader = "Bearer " + base64Encode(token);
request.headers["Authorization"] = authHeader;

If you choose Basic you can either use your web server to check the credentials or implement this yourself. The format is as follows:

string credenciais = "nome-de-usuario:senha";
string authHeader = "Basic " + base64Encode(credenciais);
request.headers["Authorization"] = authHeader;

In both cases, use HTTPS to ensure that this header will safely travel.

These are not the only ways to do this, but I see them in many of the RESTful APIs I use and in almost all of them I have implemented as well. I would personally recommend OAuth, especially if you are thinking of making this API available for a commercial system.

A major exception among the APIs I use are the Amazon APIs (AWS). AWS uses a form of digital signature on each request.

    
19.09.2014 / 04:04