restful-authentication

We were using RestTemplate with xml configuration in Spring 3.0 and it was working perfectly fine. <bean id="httpClient" class="org.apache.commons.httpclient.HttpClient"> <!-- <constructor-arg ref="httpClientParams"/> --> </bean> <bean id="httpClientFactory" class="org.springframework.http.client.CommonsClientHttpRequestFactory"> <constructor-arg ref="httpClient"/> </bean> <bean id="restTemplate" name="restTemplate" class="org.springframework.web.client.RestTemplate" autowire-candidate="true"> <constructor-arg ref="httpClientFactory" /> <property name="messageConverters"> <list> <bean class=

The specification of OAuth2 states that an authorization server must not issue a refresh token when using implicit grant. In our use case we protect a RESTful API with OAuth2 and use a Single Page Javascript application as a client for this API. As it would be very difficult to redirect to the authorization server after an access token has expired, we are searching for a better way to get a new valid token. I could think about two different approaches and wonder which one could be better: Use a hidden iframe to Rerequest a valid access token. For this it is necessary to include a parameter

I'm implementing a RESTful web service using ASP.Net Web Api. I have concluded to use Basic authentication + SSL to do the authentication part. What is the best/correct way to implement that? My first attempt was to do it manually, parsing the Authorization header, decoding and verifying the user against my database. It works, but I wonder if I am missing something. I've seen some solutions using user roles and principals. While I'm not sure what these actually do, I'm almost sure I will not be needing these, since in my database I define my own users and their roles. Also what I haven't yet

I have a 2.2.3 app which I upgraded to 2.3.2 It's a multi-site (using subdomain) that creates one top level session for all sites. This is how I change the domain in production.rb: ActionController::Base.session_options[:domain] = "example.com" # in rails 2.2.2, this is what i used to do: # ActionController::Base.session_options[:session_domain] = "example.com" Strange things started to happen after I upgraded I can no longer log in using restful authentication; it does authenticate me, but as soon as I'm redirected, it would ask me to log in again. As I said, I use restful_authentication and

A similar question is posted here: What's an appropriate HTTP status code to return by a REST API service for a validation failure? The answer in the thread above states that "For instance if the URI is supposed to have an ISO-8601 date and you find that it's in the wrong format or refers to February 31st, then you would return an HTTP 400. Ditto if you expect well-formed XML in an entity body and it fails to parse." However, what happens if the user submitted correctly formatted data? By this I mean, the user submitted a plain alphabetical string / text for the username and password (which is

I'm using restful_authentication in my app. I'm creating a set of default users using a rake task, but every time I run the task an activation email is sent out because of the observer associated with my user model. I'm setting the activation fields when I create the users, so no activation is necessary. Anyone know of an easy way to bypass observers while running a rake task so that no emails get sent out when I save the user? Thanks. You could add an accessor to your user model, something like "skip_activation" that wouldn't need to be saved, but would persist through the session, and then

I want to use methods and resources from the code of a website which is developed in PHPFox . Basically, I'll receive request from iPhone/Android , I'll get the request and pass to the respective function from the PHPFox code, take the response from that function and return it back to the device. For this purpose I've developed REST APIs using Slim framework . But the major blocker I'm facing currently is in accessing the resources(i.e. functions and data) of PHPFox website. I'm not understanding how should I authenticate the user using 'Token Based Authentication' in order to access the

I am building a web application with a services layer. The services layer is going to be built using a RESTful design. The thinking is that some time in the future we may build other applications (iPhone, Android, etc.) that use the same services layer as the web application. My question is this - how do I implement login? I think I am having trouble moving from a more traditional verb based design to a resource based design. If I was building this with SOAP I would probably have a method called Login. In REST I should have a resource. I am having difficulty understanding how I should

I'm working on building a RESTful API for one of the applications I maintain. We're currently looking to build various things into it that require more controlled access and security. While researching how to go about securing the API, I found a few different opinions on what form to use. I've seen some resources say HTTP-Auth is the way to go, while others prefer API keys, and even others (including the questions I found here on SO) swear by OAuth. Then, of course, the ones that prefer, say, API keys, say that OAuth is designed for applications getting access on behalf of a user (as I