restful-authentication

Should JWT be stored in localStorage or cookie?

孤者浪人 提交于 2019-11-27 05:06:07
问题 For the purpose of securing REST API using JWT, according to some materials (like this guide and this question), the JWT can be stored in either localStorage or Cookies . Based on my understanding: localStorage is subjected to XSS and generally it's not recommended to store any sensitive information in it. With Cookies we can apply the flag "httpOnly" which mitigates the risk of XSS. However if we are to read the JWT from Cookies on backend, we then are subjected to CSRF. So based on the

Losing session in rails 2.3.2 app using subdomain

微笑、不失礼 提交于 2019-11-27 04:43:17
问题 I have a 2.2.3 app which I upgraded to 2.3.2 It's a multi-site (using subdomain) that creates one top level session for all sites. This is how I change the domain in production.rb: ActionController::Base.session_options[:domain] = "example.com" # in rails 2.2.2, this is what i used to do: # ActionController::Base.session_options[:session_domain] = "example.com" Strange things started to happen after I upgraded I can no longer log in using restful authentication; it does authenticate me, but

RestTemplate with Basic Auth in Spring 3.1

江枫思渺然 提交于 2019-11-27 00:57:56
问题 We were using RestTemplate with xml configuration in Spring 3.0 and it was working perfectly fine. <bean id="httpClient" class="org.apache.commons.httpclient.HttpClient"> <!-- <constructor-arg ref="httpClientParams"/> --> </bean> <bean id="httpClientFactory" class="org.springframework.http.client.CommonsClientHttpRequestFactory"> <constructor-arg ref="httpClient"/> </bean> <bean id="restTemplate" name="restTemplate" class="org.springframework.web.client.RestTemplate" autowire-candidate="true"

Simple way of turning off observers during rake task?

为君一笑 提交于 2019-11-26 19:34:53
问题 I'm using restful_authentication in my app. I'm creating a set of default users using a rake task, but every time I run the task an activation email is sent out because of the observer associated with my user model. I'm setting the activation fields when I create the users, so no activation is necessary. Anyone know of an easy way to bypass observers while running a rake task so that no emails get sent out when I save the user? Thanks. 回答1: You could add an accessor to your user model,

How to implement 'Token Based Authentication' securely for accessing the website's resources(i.e. functions and data) that is developed in PHPFox?

烈酒焚心 提交于 2019-11-26 18:51:46
问题 I want to use methods and resources from the code of a website which is developed in PHPFox . Basically, I'll receive request from iPhone/Android , I'll get the request and pass to the respective function from the PHPFox code, take the response from that function and return it back to the device. For this purpose I've developed REST APIs using Slim framework . But the major blocker I'm facing currently is in accessing the resources(i.e. functions and data) of PHPFox website. I'm not

Token Authentication for RESTful API: should the token be periodically changed?

瘦欲@ 提交于 2019-11-26 17:53:07
问题 I'm building a RESTful API with Django and django-rest-framework. As authentication mechanism we have chosen "Token Authentication" and I have already implemented it following Django-REST-Framework's documentation, the question is, should the application renew / change the Token periodically and if yes how? Should it be the mobile app that requires the token to be renewed or the web-app should do it autonomously? What is the best practice? Anybody here experienced with Django REST Framework

How do I implement login in a RESTful web service?

只谈情不闲聊 提交于 2019-11-26 15:02:58
问题 I am building a web application with a services layer. The services layer is going to be built using a RESTful design. The thinking is that some time in the future we may build other applications (iPhone, Android, etc.) that use the same services layer as the web application. My question is this - how do I implement login? I think I am having trouble moving from a more traditional verb based design to a resource based design. If I was building this with SOAP I would probably have a method

REST authentication and exposing the API key

笑着哭i 提交于 2019-11-26 13:59:45
I've been reading up on REST and there are a lot of questions on SO about it, as well as on a lot of other sites and blogs. Though I've never seen this specific question asked...for some reason, I can't wrap my mind around this concept... If I'm building a RESTful API, and I want to secure it, one of the methods I've seen is to use a security token. When I've used other APIs, there's been a token and a shared secret...makes sense. What I don't understand is, requests to a rest service operation are being made through javascript (XHR/Ajax), what is to prevent someone from sniffing that out with

How to secure RESTful web services?

走远了吗. 提交于 2019-11-26 12:49:32
问题 I have to implement secure RESTful web services. I already did some research using Google but I\'m stuck. Options: TLS (HTTPS) + HTTP Basic (pc1oad1etter) HTTP Digest two-legged OAuth a Cookie-based approach client certificates (Tom Ritter and here) Signed requests using HMAC and a limited lifetime Are there more possible options to consider? If OAuth then what version? Does it even matter? From what I\'ve read so far OAuth 2.0 with bearer tokens (that is without signatures) seems to be

Do sessions really violate RESTfulness?

与世无争的帅哥 提交于 2019-11-26 05:42:17
问题 Is using sessions in a RESTful API really violating RESTfulness? I have seen many opinions going either direction, but I\'m not convinced that sessions are RESTless . From my point of view: authentication is not prohibited for RESTfulness (otherwise there\'d be little use in RESTful services) authentication is done by sending an authentication token in the request, usually the header this authentication token needs to be obtained somehow and may be revoked, in which case it needs to be
订阅 restful-authentication