restful-authentication

When creating a web service (RESTful), what status code should I use when session token is invalid? Currently the one in my company sends me a 404, not found, but I think this is not correct, because the resource exists. Maybe I should use 401 Unauthorized. What do you think? What status code do you recommend me to use in this scenario? Thanks. 401 Unauthorized. Your existing session token doesn't authorize you any more, so you are unauthorized. Don't forget that a session token is just a short-cut to avoid having to provide credentials for every request. Sending 404 is incorrect because, as

I currently have a Django app that is simply a bunch of REST APIs (backed by a database of course). I am managing my authentications with Django REST framework JWT . It's working fine. Whenever a user logs in, one of my API returns a token that the consuming application stores for later usage. So far so good. However, in the future, this solution will need to scale. And instead of having a single server running the Django app, I can forsee a situation when I will need multiple Webservers. Of course all those webservers will be connected to the same Database. But since the token is not stored

I am busy doing some research into using REST services with mobile applications and would appreciate some insight. The scenario is as follows. Consider a web application that provides a service to users. The web application will also be the main interaction point for the users. This will be done in Grails, and secured with Spring Security. Now, we want to provide a REST service so that users can use the service via mobile applications. Since Grails has such nice support for making the existing web application RESTful, we will use the built-in Grails support for that. My question now is, what

I have a REST based service where a user can return a list of their own books (this is a private list). The URL is currently ../api/users/{userId}/books With each call they will also be supplying an authentication token supplied earlier. My question(s) is: Is supplying the userId in the URL redundant? As we get a token with each call we can find out which user is performing the call and return their list of books. The userId is not strictly required. Would removing the userId break REST principles as /users/books/ looks like it should return all books for all users? Should I just bite the

I have created a WebApi 2.2 project (from an Empty New ASP.NET Project) to prove some implementation concepts and I now want to add Authentication to it. I notice that the only way to add Authentication on a new WebApi app is to use one of the (VS 2013, in my case) Templates. Is there a sure-fire way of adding Authentication to an already existing WebApi 2.2 app? I will only want to use bearer tokens, if that makes a difference to any answers I may receive. Yes you can add the bearer authentication from scratch, I'm not big fan of the VS 2013 templates because they mix between cookies and

I can get access to the HttpServlet Request object in a soap web service as follows: Declaring a private field for the WebServiceContext in the service implementation, and annotate it as a resource: @Resource private WebServiceContext context; To get the HttpServletRequet object, I write the code as below: MessageContext ctx = context.getMessageContext(); HttpServletRequest request =(HttpServletRequest)ctx.get(AbstractHTTPDestination.HTTP_REQUEST); But these things are not working in a restful web service. I am using Apache CXF for developing restful web service. Please tell me how can I get