Most secure way to secure Jersey REST Services

I'm looking really for just advice. I have a system up and running on my amazon cloud instance that is basically a bunch of REST services running on JBoss. My next step is to secure these services as there will be credit card information flowing through them. I also need to authentication as well so my question is, what is the most secure methods that one can use for REST services?

SSL CA Certs of course so encrypt the data using a CA is probably where i'll start of course. Is go daddy reputable for this? or do i have to shell out alot of money for 开发者_如何学Cverisign?

For authentication, would it be sufficient to simply do basic auth or maybe just having caller sign the request somehow? Any other methods?

OH i forgot to mention, the client application is an iPad application. Thanks for the advice.

You want to be able to protect yourself from man in the middle attacks and prevent replaying of requests. Any time there is payment related information being relayed I would opt for signing the request using a nonce and timestamp. This involves signing the request using a shared secret between the client and server. The secret can be passed one time on login.

Use a timestamp and client generated unique nonce value as part of the signed bytes. These values are also passed back as headers in the request so the server can reassemble the request.

A typical request executed from curl might look like this:

curl -v -H "Content-Type: application/json" -H "Authorization: ff7b93ad-27d0-49f6-90bd-9937951e5fcc:ncYoA5n5s2nFSm7qyvf5hDgL4pmmPOUP3zo/UYfaQKg=" -H "x-date:2013-03-28T19:34:00+00:00" -H "nonce:2d1321d32a" -X GET 'http://localhost/orders/123'

The Authorization header contains an id to identify the requester and then the hash of the signed request. The date header should be within a certain offset of the server time (15 mins is a reasonable limit).

I have a full code example here

Using certs is a great start to security. I found Thawte a good balance between value and supported clients. When I looked (a while back) GoDaddy wasn't supported by enough of the clients I might have expected (Java, Objective-C/iPad, browsers) but that may have changed by now. You definitely want to make sure the certificate you get is supported by the clients you care about (Objective-C in your case for the iPad).

Basic auth is ok over https, just make sure you don't expose anything in URLs such as ids or tokens since the URL itself is visible. If you POST all your data over https you will be off to a good start.