Comments on: Simple Security for HTTP Based RESTful Services (Part 2) http://blue64.net/2008/12/simple-security-for-http-based-restful-services-part-2/ Living in a 64 bit world Fri, 15 Jan 2010 17:31:28 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Steve http://blue64.net/2008/12/simple-security-for-http-based-restful-services-part-2/comment-page-1/#comment-77 Steve Fri, 07 Aug 2009 01:50:53 +0000 http://blue64.net/?p=146#comment-77 Take a look at http://oauth.net. This should solve most of your problems. Take a look at http://oauth.net. This should solve most of your problems.

]]> By: Veer Muchandi http://blue64.net/2008/12/simple-security-for-http-based-restful-services-part-2/comment-page-1/#comment-76 Veer Muchandi Thu, 06 Aug 2009 14:40:30 +0000 http://blue64.net/?p=146#comment-76 Hi Steve, Is there a similar simple solution for a B2C model? 1. I want to expose the resources via RESTful interface to the consumers. 2. I want them to be able to call the service via HTTP/HTTP(S). 3. I want the call to be made equally from both a web-browser or a non-browser client. This means the security should stick on to what the browser can do by default. 4. I want the solution to work with a GET call. With these requirements, my thoughts are getting constrained to either 1. Basic Authentication or 2. Digest Authentication. I am assuming that every request needs to carry the user credentials if it has to meet the requirement #3 above. Basic Authentication is not secure enough, even if I use HTTPS as the header. The reason I say that is because, the http header param "Authorization : blahblah" is not encrypted. Or am I incorrect? Digest Authentication is a tough thing for a custom client to implement. Or am I incorrect? So how do we secure the RESTful services to meet the requirements of B2C clients? Thanks Veer Muchandi Hi Steve,

Is there a similar simple solution for a B2C model?
1. I want to expose the resources via RESTful interface to the consumers.
2. I want them to be able to call the service via HTTP/HTTP(S).
3. I want the call to be made equally from both a web-browser or a non-browser client. This means the security should stick on to what the browser can do by default.
4. I want the solution to work with a GET call.

With these requirements, my thoughts are getting constrained to either 1. Basic Authentication or 2. Digest Authentication. I am assuming that every request needs to carry the user credentials if it has to meet the requirement #3 above.

Basic Authentication is not secure enough, even if I use HTTPS as the header. The reason I say that is because, the http header param “Authorization : blahblah” is not encrypted. Or am I incorrect?

Digest Authentication is a tough thing for a custom client to implement. Or am I incorrect?

So how do we secure the RESTful services to meet the requirements of B2C clients?

Thanks
Veer Muchandi

]]>