restful-authentication

Simple way of turning off observers during rake task?

by

Rails 3.1 finally comes with API for this: http://api.rubyonrails.org/v3.1.0/classes/ActiveModel/ObserverArray.html#method-i-disable ORM.observers.disable :user_observer # => disables the UserObserver User.observers.disable AuditTrail # => disables the AuditTrail observer for User notifications. # Other models will still notify the AuditTrail observer. ORM.observers.disable :observer_1, :observer_2 # => disables Observer1 and Observer2 for all models. ORM.observers.disable :all # => disables all observers … Read more

Securing REST API using custom tokens (stateless, no UI, no cookies, no basic authentication, no OAuth, no login page)

by

My sample app does exactly this – securing REST endpoints using Spring Security in a stateless scenario. Individual REST calls are authenticated using an HTTP header. Authentication information is stored on the server side in an in-memory cache and provides the same semantics as those offered by the HTTP session in a typical web application. … Read more

Restful web service authentication

by

One way I’ve seen this done in APIs (and the way am currently implementing it) is to create a RESTful resource called Session which is created via a POST which supplies a username and password. Here is basically how I’ve implemented it: POST /sessions { Username: “User”, Password: “Password” } Create an time limited session … Read more

What status code should I use when session token is invalid?

by

401 Unauthorized. Your existing session token doesn’t authorize you any more, so you are unauthorized. Don’t forget that a session token is just a short-cut to avoid having to provide credentials for every request. Sending 404 is incorrect because, as you observe, the resource does exist. You just don’t currently have authorization to see it. … Read more

AngularJS Authentication + RESTful API

by

This is taken from my blog post on url route authorisation and element security here but I will briefly summaries the main points 🙂 Security in frontend web application is merely a starting measure to stop Joe Public, however any user with some web knowledge can circumvent it so you should always have security server-side … Read more

How do I implement login in a RESTful web service?

by

As S.Lott pointed out already, we have a two folded things here: Login and authentication Authentication is out-of-scope here, as this is widely discussed and there is common agreement. However, what do we actually need for a client successfully authenticate itself against a RESTful web service? Right, some kind of token, let’s call it access-token. … Read more

What is the difference between JSON Web Signature (JWS) and JSON Web Token (JWT)?

by

JWT actually uses JWS for its signature. From the specification’s abstract: JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) … Read more