REST HTTP Authentication - How?

Question

So, I\'m developing a REST webservice using RESTeasy and Google App Engine. My question isn\'t related to GAE, but I mentioned it just in case it matters. It happens that na

Answer 1

I've managed to accomplish this by using RESTeasy's Interceptors. Basically the requests are intercepted by using a listener like class. In this class I inspect for the request's HTTP headers and then the normal Basic-Auth process goes on.

Useful links:

http://en.wikipedia.org/wiki/Basic_access_authentication
Passing parameters in the message header with a REST API
http://www.alemoi.com/dev/httpaccess/ (the Servlet part)

I hope this helps anyone.

Thanks.

Answer 2

you will definitely face a security risk when using any authentication method without SSL.

but if you did use SSL, you will usually suffer from a poor performance.

Oauth is actually a solution to allow 3rd party to obtain access to your webservices.

due to the limited selection, my solution to a current webservices that require authentication used the combination of SSL+basic

Answer 3

The simplest way to secure a REST API is to use HTTP Basic authentication over SSL. Since the headers are encrypted there is not much point of using Digest. This should work great as long as you can keep the password secure on the client(s).

Answer 4

You might look at using OAuth 2. It is significantly simpler then OAuth 1 and is actively being used on large REST API by Facebook and Google.