Hi. I'm have some concerns while designing the authentication part of my API build with Restlet 2.1. I'd like your opinion on what I've already done and I'm here to ask some advice for some more stuff.
My needs are: 1. I want to identify applications users by cookie, to assign fine-grained authorization. 2. I'd rather delegate to ApiGee the api management (limits and also app authentications). 3. The whole API should be blocked: no one can access that without a secure password, that I'll provide only to ApiGee In this scenario, one can access the backend only via ApiGee proxy. So any resource level authorization will be handled at ApiGee level, so will be third party apps API keys and so on. At Restlet level, I'll just parse the cookie (or answer 401 if no cookie is present), identify user, assign roles and provide fine-grained authorization. I do not even need to track the app, cause roles are applied to users. Maybe in future I'll have some roles set that depends on apps but is not the case for now (I just have the frontend user app and the administration console). Does all of these seems reasonable or I am making some big mistake that will lead to problems, pitfalls, securit issues etc? That's all, thanks anyone for any advice. -- Daniele Dellafiore http://danieledellafiore.net ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3001992