restful-authentication

I have to lay out a plan to develop a RESTful API (Python/Flask) that could be used by our future web app (Angularjs) and mobile apps (iOS/Android). I have been researching for three days and have come across several scenarios: Using HTTPS is one way on top of the methods below to keep it safer. But https is slower, which could mean we need faster and more expensive servers. Using Basic-Http-Auth and sending username/password in plain (yet https) over the wire for every request to the API. Using Digest-Auth, which is a hash of the password and the tracking would be automatic This would work

There are lots of guidelines, sample codes that show how to secure REST API with Spring Security, but most of them assume a web client and talk about login page, redirection, using cookie, etc. May be even a simple filter that checks for the custom token in HTTP header might be enough. How do I implement security for below requirements? Is there any gist/github project doing the same? My knowledge in spring security is limited, so if there is a simpler way to implement this with spring security, please let me know. REST API served by stateless backend over HTTPS client could be web app, mobile

I could do with some help on my REST API. I'm writing a Node.js app which is using Express, MongoDB and has Backbone.js on the client side. I've spent the last two days trying to work out all of this and not having much luck. I've already checked out: Securing a REST API Securing my REST API with OAuth while still allowing authentication via third party OAuth providers (using DotNetOpenAuth) http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/ http://tesoriere.com/2011/10/10/node.js-getting-oauth-up-and-working-using-express.js-and-railway.js/ I want to keep my

I am designing a RESTful web service that needs to be accessed by users, but also other web services and applications. All of the incoming requests need to be authenticated. All communication takes place over HTTPS. User authentication is going to work based on an authentication token, acquired by POSTing the username and password (over an SSL connection) to a /session resource provided by the service. In the case of web service clients, there is no end user behind the client service. The requests are initiated by scheduled tasks, events or some other computer operations. The list of

I am building an iPhone app using jQuery Mobile, jQuery 1.7.2, and PhoneGap trying to get a JSONP from ASP.NET RESTful web service using this code, problem that I need to authenticate first and get a token, then send it back again. here is my function: var setToken = function () { var serverToken = ''; $.support.cors = true; jQuery('body').ajaxSend(function (evt, xhr) { xhr.setRequestHeader("Authorization", "Basic " + $.base64.encode(username + ":" + password)); xhr.setRequestHeader('X-Accept', 'application/json'); }); $.getJSON(url + "?jsoncallback=?", null, function (res) { console.log(res);

For some reason I'm getting an InvalidAuthenticityToken when making post requests to my application when using json or xml. My understanding is that rails should require an authenticity token only for html or js requests, and thus I shouldn't be encountering this error. The only solution I've found thus far is disabling protect_from_forgery for any action I'd like to access through the API, but this isn't ideal for obvious reasons. Thoughts? def create respond_to do |format| format.html format.json{ render :json => Object.create(:user => @current_user, :foo => params[:foo], :bar => params[:bar

I am developing a new application in JavaEE 7 using WildFly 8. I am using JAX-RS to provide a RESTful service interface for remote applications. Something like an HttpHeaders object can be injected in a resource method arguments using the @Context annotation. Since the object is based on request parameters (of course, the HTTP headers), I came up with the idea of creating my own injectable User object which is created based on the presence of a valid token in the request (something like an OAuth access token). So, I want to achieve something like this: @Path("/resources") public class