I wanted to know how to can i protect a resource on a webserver using REST API.Like for example i want to access http://www.xyz.com/folder/impresource.doc but before accessing that i have to be authenticated. The thing is i am try to create a simple mobile client to authenticate with a rest service and then be able to access the resource.
I would appreciate a good example explaining how it can be done Thanks :)
It would be nice if i could get an example in php.
You implement a web service (be it REST, or be it SOAP) in some programming language (for example, Java or C#) running in some "container" (for example, IIS/.Net or Tomcat).
The layer below REST (for example, the C# code you're using to implement your IIS/.Net/SOAP web service, or the Java code in your .war) is the layer where you want to write any custom access code.
Alternatively, some vendors (for example, Amazon S3) have already done this for you:
http://aws.amazon.com/s3/faqs/
Other vendors (such as Microsoft) give you a way to use their authentication infrastructure with your web service:
Secure REST Service Microsoft Azure AppFabric
In java you can use a servlet filter, which will send an error code if it does not find an authentication object in the user session and if authenticated let the request handling proceed. A very popular implementation of this approach is Spring security[http://static.springsource.org/spring-security/site/tutorial.html]
Related
I am currently looking at implementing feature toggles using ff4j for our application. We want to have a remote central config app which will hold all the features in it and the applications will talk to this central config app via REST to get the features. We will not be able to leverage Spring Cloud Config or Archaius for this purpose.
I went through the documentation and it seems there is a support for HttpClient (https://github.com/ff4j/ff4j/wiki/Store-Technologies#httpclient). But I couldn't find any sample for the same. Can someone please let me know if I can leverage this method to build my feature store from a REST endpoint. Also, I would appreciate if someone could point me to a sample of this.
This is a common pattern.
A component holds the Administration UI (console) and the REST API. You can call it the "Admin Component". For security reasons It may be the only component to have access to persistance unit (any of the 15 DB implementation available)
For the "admin component" HERE is sample using standAlone spring-bppt application using JDBC DB, and HERE you find a simple web application.
The REST API can be secured using credentials user/password and/or API Key. More information HERE
All microservices access the REST API as clients and request feature store. You will need the dependency ff4j-webapi-jersey2x or ff4j-webapi-jersey1x that hold the client http> Then you can define the store using :
FeatureStoreHttp storeHTT = new FeatureStoreHttp("http://localhost:9998/ff4j");
Warning : Please consider using cache to limit overhead introduce by accessing the REST API at each feature usage. More info on cache HERE
I am working on one school project, And my task is to make a simple api gateway, which can placed between any of the 3rd party api and the end users, tha gateway can be used for defining usage limits of the api or to do some security analysis, I am totally new to this, I know the basic concept of API gateway, but don't know how do I implement it using JAVA.
Can anyone please give me some starting point where to start implementation of API gateway?
And what are the frameworks I should use and for what purpose?
Thanks,
Nixit Patel
In a nutshell, API gateway exposes public APIs, applies policies (authentication - typically via OAuth, throttling, adherence to the the defined API, caching, etc.) and then (if allowed) optionally applies transformation rules and forwards the call to the backend. Then, when the backend responds, gateway (after optionally applying transformation rules again) forwards the response to the original caller. Plus, there would typically be an API management solution around it providing subscriber portal, user management, analytics, etc.
So basically any web service framework would work as a quick DYI solution.
You can also use plugin model of an open-source load-balancer such as NGINX.
Or take an open-source API Gateway to learn from it - e.g. WSO2 API Manager (the easiest way to see it in action is the hosted version: WSO2 API Cloud)
This is really basic.I want to implement a RESTful web API.
Now I know you can write custom applications and scripts to integrate with the API.
What I need to know:
In what languages can you write this API? C#, Java, php?
When building/programming a program that implements this API, is this the client and the software that issued the API the server? (eg. Dropbox would be the server and the custom app that integrates with the Dropbox API is the Client?
Thank you.
A REST API can be built in any programming language that allows you to handle HTTP requests (or can be attached to a Web server as a handler for requests). The two methods I've been using:
Stand-alone Windows service implementing a REST service using WCF
WEB server Apache + PHP
You are correct about the terminology. A program consuming a service is called the client, a program providing a service is called the server (while actually in the PHP approach, Apache would be the server as it is taking the request and having the script handle it).
Additional nitpicking: JQuery is not a language, but a framework to help you use some JavaScript features more easily.
On your comment Recap:
Close :-) The Client transfers JSON/XML/whatever to a server using HTTP requests. The Client can be written in any language that can perform HTTP requests.
On the server side, there needs to be some application that handles the HTTP requests (service), also written in any language, as long as it "speaks" HTTP.
The API is the definition of which operations are possible, for example, adding user accounts, getting the current time, etc. (this is what you define - what do you want your service to do?).
The JSON/XML/whatever that you transfer is the workload, the parameters for the API call. For example, if you want to add a new user to your system, the workload could be the new user name, the real name, the eMail address and some other details about the user. If the API call returns the current server time, you might not need any parameters at all, but you get back JSON/XML/whatever from the service.
The actual call being made is determined by the URL you call. For example, the URL for adding a user could be http://localhost/myrestservice/adduser and you'd perform a POST request against that URL with the required workload. For the time example, the URL could be http://localhost/myrestservice/getservertime and you'd perform a GET request against that URL.
I suggest that you read about how REST services actually work before you start, as I see some question marks on your face ;-)
Short:
API = available operations (=> URLs)
Parameters to API calls = JSON/XML/Plain Text/whatever
Client = calls the service through HTTP
Service = handles the calls, replies to client in response to HTTP requests
If you are a php programmer and familiar with Codeigniter framework then go here : Working with RESTful Services in CodeIgniter.
visit also : Rest Tutorial
First of all, you should begin with learning what is a RESTful API.
http://en.wikipedia.org/wiki/Representational_state_transfer
http://www.restapitutorial.com/
http://rest.elkstein.org/
In what languages can you write this API? C#, Java, php, jQuery?
You can write an API in any language. What can help is the framework you'd be using. JQuery is not a language, but a framework for integrating Javascript application in every web browser, so it won't help.
I'd advice you to use a microframework to write your first RESTful API, because they usually are easy to use and help focus on the important (bottle/flask in python, express in javascript, silex in php, spark in java or nina in C#)
When building/programming a program that implements this API, is this the client and the software that issued the API the server? (eg. Dropbox would be the server and the custom app that integrates with the Dropbox API is the Client?
You're right, the server is providing you the service, hence the API. The client is user to that API, and implementing it into something useful.
As most of the people stated already, you can do this in just about any language.
Might I suggest that you look into NodeJS? If so, check out Restify: http://mcavage.github.io/node-restify/
There's a nice community behind NodeJS and I think it's quite open to newcomers. Just try not to pick up bad habits from JavaScript pitfalls. If you're new to programming, I'd suggest reading some intro book.
good luck!
I have an web application built using RESTful services (JAX-RS).
There are REST calls, and simple JSPs with js files to handle data.
Now I want to implement authentication and authorization in service. What I did earlier was to implement simple filter and inside each service check for #HttpRequestContext for if session has user object. Since it I want to expose service to say, external webapp, I will have to hard code system as there is no standard.
I feel this is not good design. Is there a design pattern to solve this common issue ?
Is there a clean way to expose a WCF REST service that requires basic authentication, but where we handle the actual validation of the username/password ourselves? It seems that when you tell WCF in config that you want to use basic authentication, it forces you to turn on basic authentication in IIS and IIS can only do basic authentication against window accounts.
The only hack we have found is to lie to WCF and tell it there is no security on the service and then do authentication outside of the WCF stack using a generic IHttpModule (which has a proprietary config file to indicate which URLs have which authentication/authorization requirements).
It seems like there should be a better way. Anyone have one?
The WCF REST Contrib library enables this functionality:
http://github.com/mikeobrien/WcfRestContrib
It also allows you to secure individual operations.
is the username and password set on the client like:
cc.ClientCredentials.UserName.UserName = ReturnUsername();
cc.ClientCredentials.UserName.Password = ReturnPassword();
Or are they embedded in the body of the REST message?
If the former, you can use a custom UserNamePasswordValidator:
http://msdn.microsoft.com/en-us/library/aa702565.aspx
If the latter, you can set the service to no security, and use a custom ServiceAuthorizationManager to validate the contents of the message:
http://msdn.microsoft.com/en-us/library/ms731774.aspx
Hope one or the other helps! I'd try to post sample code & config, but I'm # home and dont have access to code, which is all # work.
See Custom Basic Authentication for RESTful services. Pablo's approach uses the interceptor functionality that is provided via the REST starter kit to solve the problem. If you do not want to depend on the REST starter kit, then you can create your own service host and use the inteceptor functionality provided.
If you host it on IIS, using custom http module is the way to go. You can bring over the principal over to WCF side to do code access security. See HTTP Basic Authentication against Non-Windows Accounts in IIS/ASP.NET (Part 3 - Adding WCF Support). Also see Custom HTTP Basic Authentication for ASP.NET Web Services on .NET 3.5/VS 2008.
If you are not using IIS, you should be able to implement userNameAuthentication. See Finally! Usernames over Transport Authentication in WCF.
Yes absolutely there is a way. You need to configuring a custom userNamePasswordValidationMode value for your service and point it to a class with an overridden method that can inspect and validate the credentials provided. When making a RESTful call, these credentials when using Basic authentication in its proper form should be in the request header. With this custom method you can inspect the credentials and then authenticate the client to your service. No Windows accounts or domain even needed.
The nice thing is you can then take that security context to the next level and provide fine-grained authrization at the method level. You might have instances where a large pool of clients are able to access the service, but not all methods within (i.e. paid clients vs. unpaid). In this case you can also provide authorization at the method level as well if needed.
Below is a step-by-step solution (with too many steps to embed) by me that contains both the needed configuration and security required to have a complete solution. The problem is often Basic authentication is used without securing the Transport with a SSL certificate and this is bad. Make sure to follow all the steps and you will implement Basic authentication without the need of any type of Windows accounts or configuration on your WCF RESTful based service.
RESTful Services: Authenticating Clients Using Basic Authentication