Restful authentication between two GAE apps
I am trying to write a RESTful Google app engine application (Python) that accepts requests only from another GAE that I wrote. I dont like any of the ways that I thought of getting this done, please advise if you know of something better than:
Get SSL setup, and simply add the credentials on the request that my consuming app will send. I dont like it cause SSL will slow things down.
Security by obsecurity. Add a random number in my request that is in Xmod0, where X is a secret number that both applications know. I just don't like this.
Check the HTTP header to see where is the request coming from. This option is the one that I hate the least, not alot of processing, and spoofing an HTTP request is not really worth 开发者_C百科it, for my application's data.
Is there any other clean solution for this?
Use an HMAC. Embed the same secret in each app, and sign requests and responses using the HMAC. Don't forget to include nonces and timestamps to prevent replay attacks!
精彩评论