2

I have an user object for my restful service, which has an userid and a password. It is just for authorization stuff. Should I do it as a resource like /user/{id} or put it just in a HashMap?

Antony Scott
  • 21,690
  • 12
  • 62
  • 94
Robin Wieruch
  • 14,900
  • 10
  • 82
  • 107
  • Can you possibly give a bit more detail? – McGarnagle Apr 01 '12 at 08:33
  • I just wanted to know if I have to make an object, which is just for authorization stuff, to an resource in Rest. I dont know if it is a lack of secruity, when there are resources with userids and passwords. Otherwise I would put userid and password just into a HashMap. – Robin Wieruch Apr 01 '12 at 08:42
  • See similar question for .net wcf http://stackoverflow.com/questions/7588691/user-authentication-for-mobile-clients-in-restful-wcf-4-service – Michael Freidgeim Jun 18 '12 at 17:45

1 Answers1

2

I have recently written my first RESTful service. I used Basic authentication along with HTTPS. This means any resource which I deemed as requiring authentication rejected any request with a 401 (Unauthorized) response when the Auth header was either absent or did not contain valid credentials.

There is no need for seperate resource to control access.

Having said all that, I readily admit I am not a REST guru or security guru. So there may be other ways of dealing with this, but this one worked just fine for me.

There are many different ways to implement security in a RESTful service and there is not black and white right/wrong ways, just what suits best. I have heard of people using token based authentication and there is also OAuth which is what I will be moving my service to at some point in the future. Well, OAuth2 anyway.

Antony Scott
  • 21,690
  • 12
  • 62
  • 94