[
https://issues.apache.org/jira/browse/CONNECTORS-1177?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Wright resolved CONNECTORS-1177.
-------------------------------------
Resolution: Fixed
> Add authentication support for REST api
> ---------------------------------------
>
> Key: CONNECTORS-1177
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1177
> Project: ManifoldCF
> Issue Type: Improvement
> Components: API
> Affects Versions: ManifoldCF 1.8.2, ManifoldCF 2.0.2
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.9, ManifoldCF 2.1
>
>
> Best practices, as far as I can tell, are here:
> https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
> {code}
> RESTful web services should use session-based authentication, either by
> establishing a session token via a POST or by using an API key as a POST body
> argument or as a cookie. Usernames, passwords, session tokens, and API keys
> should not appear in the URL, as this can be captured in web server logs,
> which makes them intrinsically valuable.
> {code}
> There's nothing intrinsically wrong with using standard web application
> session management as a means of managing sessions. The only potential
> complication is the java session ID on the URL -- but that can be disabled at
> the web application level.
> The other complication is session expiration. Sessions must eventually
> expire; we will need to signal that by returning a 403 HTTP code should that
> occur.
> In order to make this work, we need to add a LOGIN post request, whose job it
> is to establish a session and verify credentials. The credentials can be
> placed in the properties.xml file for now, as is done for the web UI. ALL
> requests to the API must verify the contents of the credentials bean in order
> for this to work. This can be done by simply coding the check at the API's
> servlet implementation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
