1

I'm currently working with Jersey/Jackson and I'm having a hard time understanding how should I approach the sign-up/login for my app's users. What kind of things should I take in mind when developing such a service? (it's very important that it will be secure)

Thank you.

thedp
  • 8,350
  • 16
  • 53
  • 95
  • 1
    This question is pretty broad, what specific things are you having a hard time with? http://stackoverflow.com/questions/4574868/securing-my-rest-api-with-oauth-while-still-allowing-authentication-via-third-pa discusses some aspects of the issue that might interest you. – shieldstroy Apr 17 '15 at 18:38
  • 1
    Technically, application security is not directly related to the RESTful model that you have chosen. The recommended way would be to use an well known pattern using existing framework where possible. – Alex Nevidomsky Apr 17 '15 at 18:40
  • 1
    More details about your app and platform would help. – Alex Nevidomsky Apr 17 '15 at 18:41
  • Do I need access tokens, OAuth, is there something ready (Google is not much of a help lately) with Spring maybe, or some other stand-alone lib? – thedp Apr 17 '15 at 19:04

1 Answers1

1

One easy way to get session with a RESTful Service, you could create a sign-up/login site which returns something like a Session-UUID. The client just has to send the UUID with every subsequent request.

To enhance security, you should invalidate the UUIDs after some time.

Edit: See Session Managment with Jersey

Community
  • 1
  • 1
D3xter
  • 6,165
  • 1
  • 15
  • 13
  • 1
    This is the basic idea you want to shoot for. You don't have to send the login credentials with every request, you just do it once to some auth-service and subsequently use the session-UUID with every request your app needs to make on behalf of the user. Also, make sure all your API calls (especially the original auth) are over HTTPS and not HTTP. This ensures that the content is encrypted and nefarious listeners can't steal credentials or tokens – shieldstroy Apr 17 '15 at 18:48
  • 1
    Is there something ready to do all that, like Spring or even a stand-alone lib? Because I don't think it's a good idea to implement all that from scratch... – thedp Apr 17 '15 at 19:05
  • Yeah it would be best to not do it from scratch. I don't have a quick and easy answer about ready-to-use implementations but there certainly are some. Google should help you out. Look for 'OAuth spring example' or something... Sorry I can't be much help. You could also tie into Google or Facebook or some other service, so that your users can login with accounts that they already have. There should be examples for how to do this as well. – shieldstroy Apr 17 '15 at 19:13