My sample app does exactly this – securing REST endpoints using Spring Security in a stateless scenario. Individual REST calls are authenticated using an HTTP header. Authentication information is stored on the server side in an in-memory cache and provides the same semantics as those offered by the HTTP session in a typical web application. … Read more
One way I’ve seen this done in APIs (and the way am currently implementing it) is to create a RESTful resource called Session which is created via a POST which supplies a username and password. Here is basically how I’ve implemented it: POST /sessions { Username: “User”, Password: “Password” } Create an time limited session … Read more
Indeed, storing all issued JWT IDs undermines the stateless nature of using JWTs. However, the purpose of JWT IDs is to be able to revoke previously-issued JWTs. This can most easily be achieved by blacklisting instead of whitelisting. If you’ve included the “exp” claim (you should), then you can eventually clean up blacklisted JWTs as … Read more
401 Unauthorized. Your existing session token doesn’t authorize you any more, so you are unauthorized. Don’t forget that a session token is just a short-cut to avoid having to provide credentials for every request. Sending 404 is incorrect because, as you observe, the resource does exist. You just don’t currently have authorization to see it. … Read more
The self.included function is called when the module is included. It allows methods to be executed in the context of the base (where the module is included). More info: a ruby mixin tutorial.
In order of increasing security / complexity: Basic HTTP Auth Many API libraries will let you build this in (Piston in Django for example) or you can let your webserver handle it. Both Nginx and Apache can use server directives to secure a site with a simple b64encoded password. It’s not the most secure thing … Read more
This is taken from my blog post on url route authorisation and element security here but I will briefly summaries the main points 🙂 Security in frontend web application is merely a starting measure to stop Joe Public, however any user with some web knowledge can circumvent it so you should always have security server-side … Read more
As S.Lott pointed out already, we have a two folded things here: Login and authentication Authentication is out-of-scope here, as this is widely discussed and there is common agreement. However, what do we actually need for a client successfully authenticate itself against a RESTful web service? Right, some kind of token, let’s call it access-token. … Read more
JWT actually uses JWS for its signature. From the specification’s abstract: JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) … Read more
There’s another, very secure method. It’s client certificates. Know how servers present an SSL Cert when you contact them on https? Well servers can request a cert from a client so they know the client is who they say they are. Clients generate certs and give them to you over a secure channel (like coming … Read more