REST HTTP Authentication - How?

miguelcobain picture miguelcobain · Jan 9, 2012 · Viewed 16.5k times · Source

So, I'm developing a REST webservice using RESTeasy and Google App Engine. My question isn't related to GAE, but I mentioned it just in case it matters. It happens that naturally I need to secure my resources and my own users (not Google's).

Securing a REST webservice seems like a very controversial subject, or at least a very 'liberal' one. REST doesn't impose any standard on this matter. From what I've researched on the web and literature, there are at least 3 approaches that I think might fit in my application:

  • HTTP Basic (with SSL)
  • HTTP Digest (with SSL)
  • OAuth

OAuth seems like the most complete approach. But I don't think that such a complexity is needed because I will not need to authorize any 3rd party applications. It is a webservice to be consumed by my own client applications only.

HTTP Basic and HTTP Digest appear as the most simple ones on the web, but the fact is that I've never found a concrete implementation of them using RESTeasy, for example. I've found this page and this one in RESTeasy's documentation. They are indeed very interesting, but they tell little or nothing on this subject (HTTP Basic or Digest).

So, here I am asking:

How do I secure my WebService using HTTP Basic or Digest in RESTeasy?

Perhaps it is so simple that it isn't worth mentioning in the documentation or anywhere else? Also, if anyone can provide me some insight on the matter of securing RESTful webservices, it could be helpful.

Am I choosing the right approaches?

Answer

Luke Francl picture Luke Francl · Jan 9, 2012

The simplest way to secure a REST API is to use HTTP Basic authentication over SSL. Since the headers are encrypted there is not much point of using Digest. This should work great as long as you can keep the password secure on the client(s).