开发者

2-legged OAuth and REST

I would like to put a web service, at the moment in a intranet of my company, on internet, to make partners able to access information provided by the web service. At the moment, web service is in a SOA, and I decided to move everything to RESTful web service, so in a web oriented architecture. I'm considering some security aspects I should take into account to do this operation.

I don't know which solution can be more useful in my case. I've alr开发者_如何学编程eady looked for HMAC, OAuth information, but I would like to know if is possibile to use OAuth, without introducing a third part.

For example, a partner want to sign in the web site, and then continue the navigation, is 2-legged OAuth useful for my needs? Are there other useful security solution to do this operation?

Really Thanks.


Yes, OAuth supports a "2-legged" case; just omit the oauth_token parameter, and then use either HMAC-SHA1 (shared secret) or RSA-SHA1 (public key) as desired. It's worth noting that the signatures do not cover everything an API client might send; it doesn't cover the body of PUT requests or the body of POST requests that aren't form submissions.

You may want to investigate simply using HTTPS + Basic Auth, as this lets you leverage lots of off-the-shelf software (Apache or equivalent) without having to introduce signing libraries into your client and server.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜