i'm reading RESTful Web Services and on the first chapters they talk about taking advantages over the stuff HTTP already serves.
They introduce en example that does authentication to del.icio.us using HTTP Basic Authentication.
Until now, the apps I've been written in NodeJS implemeted Authentication by sending a POST request from a form containing user and a password field.
How do you guys implement this? Do webpages implement auth via http basic auth?
Which one is recommended?
Thanks in advance.
You may find Basic HTTP authentication in Node.JS? useful as it describes how to do Basic Authentication in NodeJS.
As for its use in Web Services, well...there are lots of ways to authorize requests from using a shared secret (like an API key), cookies (like Basic Auth) or user credentials added to a request string. All have their pluses and minuses.
For most of my coding, I rely on public/private key pairs to assure the identity of clients.
http-auth module should do the job
// Authentication module.
var auth = require('http-auth');
var basic = auth.basic({
realm: "Simon Area.",
file: __dirname + "/../data/users.htpasswd" // gevorg:gpass, Sarah:testpass ...
});
// Creating new HTTP server.
http.createServer(basic, function(req, res) {
res.end("Welcome to private area - " + req.user + "!");
}).listen(1337);
Related
I have web application which structure is as-
webapi : django web services [NOT REST] no security implemented
frontend : Angular2. authentication implemented via SAML
Database : Mongodb
Can you please suggest best way to secure webapi, as currently anyone can access web services who has server[api] url
It will be big help if you suggest the authentication and authorization flow because I am totally stuck.
Thanks in advance.
Implement an /authentication on your API which accepts Basic authentication. Make sure you do that over HTTPS. Username and password will be collected by your Angular app and sent back to /authentication. If the user authenticates, return a session token, for example JWT (check pyjwt).
All the following communications between the front and back should contain the token, which is issued only if the user authenticated. The token is inclued in the request headers and specifically in Authororization header using the Bearer schema:
Authorization: Bearer <token>
A JWT contains the username so you can use that on each future request. Furthermore, you are not required to keep record of the issued JWT since each one is self-contained and can have predetermined expiration data.
Hi i am new to Apache cxf rest API security side.I want to rest API which have good security with authorization.I found Apache cxf gives Ouath2 security features(http://cxf.apache.org/docs/jax-rs-oauth2.html).So And i need to use json web token(http://jwt.io/) to send to API for authorization.Simply i need to use secured line for send request to rest API.So far i have simple design.
And my REST api have CRUD Operations to database.I thought send JWT as Access token in request header.And API side verify the user and send data back to user.I have two questions.First one is Is this the best design for this kind of application.And second one is if this is best way how to generate Tokens and is that we need to keep those tokens in server side.
Yes it's a good design
I can explain it with github web api's
Authorize
First u validate urself for using API by sending client id and callback url in request (here u specify access level ie.scope) and u receive a code
Access_token
Then u exchange this code for access token (this time with client secret included in req parameter)
This access token received is used for all future calls made by u on behalf of user
Nd ya u store this token and refresh token at server
https://developer.github.com/v3/oauth/#web-application-flow
Although this is specific to github , similar flow follows for twitter , linked in and slightly different for facebook web api's
I'm trying to protect my Django restful api.
I got two clients :
my Django Front end application (Ajax requests on my server)
a python application using httplib to make its own requests
For now I'm using HTTP Basic Authentication to allow a client to consume a resource.
A basic username/password on a auth method managing a cookie session.
In production I ensure that my API is only available over https.
I tried to implement HMAC construction (because I don't want to put my password on the wire, but I have to store the secret at both ends). This work well with my other python application, but not with my Django Front end application since any user can see the javascript code.
I tried to implement an other authentication method because I don't want to really maintain a session state (not really REST).
curl -H "PERSONAL_SECRET_API_KEY: TokenKeyxxxxxxxxxx" https://localhost:8000/api/resource/
Here my questions:
What are the weaknesses of the basic Authentication System ?
Is there another method which suit my purposes ?
Thank you
Being prone to repeat attack is in my opinion the largest weakness of basic authentication.
Have you considered public/private key infrastructure? Client apps create public/private key pairs. Public keys are stored on the server. Client app encrypts its request with private key, server can decrypt it with client app's public key and send the response the same way.
I have server with some resources; until now all these resources were requested through a browser by a human user, and the authentication was made with an username/password method, that generates a cookie with a token (to have the session open for some time).
Right now the system requires that other servers make GET requests to this resource server but they have to authenticate to get them. We have been using a list of authorized IPs but having two authentication methods makes the code more complex.
My questions are:
Is there any standard method or pattern to authenticate human users and servers using the same code?
If there is not, are the methods I'm using now the right ones or is there a better / more standard way to accomplish what I need?
Thanks in advance for any suggestion.
I have used a combination of basic authentication and cookies in my web services before. In basic authentication you pass the user name/password encoded in the HTTP header where it looks something like this.
Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=
The string after the word "Basic" is the encoded user name and password that is separated by a colon. The REST API can grab this information from the HTTP header and perform authentication and authorization. If authentication fails I return an HTTP Unauthorized error and if they are authenticated but are not authorized I return an HTTP Forbidden error to distinguish between failure to authentication versus authorization. If it is a web client and the person is authenticated then I pass the following in the HTTP header with a request.
Authorization: Cookie
This tells the web service to get the cookie from the HTTP request and use it for authorization instead of doing the authentication process over again.
This will allow clients that are not web browsers to use the same techniques. The client can always use basic authentication for every request, or they can use basic authentication on the initial request and maintain cookies thereafter. This technique also works well for Single Page Applications (SPAs) where you do not have a separate login page.
Note: Encoding the user name and password is not good enough security; you still want to use HTTPS/SSL to secure the communications channel.
I have deployed webservice in Tomcat using Apache CXF. How would I proceed in securing that web service using OAuth 2.0?
I have gone through the below URL but without finding any suitable solution. A working example or tutorials on how to implement oAuth 2.0 for simple web service?
Original tutorial link:
JAX-RS: OAuth2
I was confronted with the same issue recently. After a decent amount of research, I have found (and this could be limited to me alone) that this is quite complicated.
It is possible to attach the required "authorization header" to a SOAP webservice call in this manner :
Map<String, Object> req_ctx = ((BindingProvider)port).getRequestContext();
req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, WS_URL);
Map<String, List<String>> headers = new HashMap<String, List<String>>();
headers.put("key", Collections.singletonList("yourkey"));
//... all other parameters required.
req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);
The request can then be checked on the server side as such :
MessageContext mctx = wsctx.getMessageContext();
//get detail from request headers
Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
List userList = (List) http_headers.get("key");
//... get other information required here
And thus you can validate the request.
On a side note
It is to note, from my findings, oAuth2 is not very useful for simply securing your API - simply protecting it from outside use.
The reasoning
With oAuth 1, you could use the authentication to validate a user by their key. You knew they were authorized because they have successfully signed the request, and thus you would allow them access to the information.
With oAuth 2, the protocol requires you to use HTTPS. Then why not just use application authentication with your API? I have found oAuth 2 to be very useful to access 3rd party applications with the original set of credentials (the goal of the protocol). But unless you need to do this, there is no need (again IMO) to implement the full oAuth. If you ONLY looking to secure your API, just do it using SSL and a key or username/password combination.
See also:
Application Authentication With JAX-WS
CFX User Guide
How is OAuth 2 different from OAuth 1?
Designing a Secure REST API without oAuth - more useful for general understanding.
I've added a short intro here:
https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+OAuth2#JAX-RSOAuth2-OAuth2tokensandSOAPendpoints
Basically it will work with bearer tokens passed via Authorization headers as is, and can be easily customized to handle WS-Security binary tokens