2

I need some suggestions on how to secure REST APIs and web based internal system using a single authentication system.

I am looking into the possibility of using:

  1. oAuth 2.0
  2. JA-SIG CAS
  3. Custom Implementation (implement two separate APIs)
    1. To secure REST APIs and redirect calls to specific API instance
    2. To authenticate web application users.
Saqib
  • 1,283
  • 1
  • 13
  • 16
  • It seems that none of the above mentioned systems fulfill this requirement and we have to go for a custom implementation. ref. [link](http://pages.apigee.com/oauth-big-picture-ebook.html) – Saqib Mar 22 '13 at 19:13
  • You might want to try and post this to the CAS listserv, they are really helpful with questions like this: http://www.jasig.org/cas/mailing-lists – blamonet Mar 26 '13 at 18:03

2 Answers2

4

I assume you have a UI for your webapp and want to share your identity between your webapp and your web service. You can achieve that by :

  1. "cassifying" your webapp (For example : https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml)
  2. proxifying your calls from your webapp to your web service (https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough).
jleleu
  • 2,309
  • 1
  • 13
  • 9
  • Is there any way to achieve this without having to proxy all the calls to the webservice through the webapp? Could the proxy ticket value be returned to the client, and the call made from there? What are the ramifications of such a move? – chrismarx Aug 04 '14 at 21:07
0

Here are a few suggestions in how to secure REST APIs. They are related to iPhones but they are generally applicable to client/server REST API implementations. Without more information I don't know how applicable they are, but they might help you out a bit:

Security When Using REST API in an iPhone Application

https://stackoverflow.com/questions/15390354/api-key-alternative/15390892#15390892

Community
  • 1
  • 1
Freedom_Ben
  • 11,247
  • 10
  • 69
  • 89
  • We are implementing two separate APIs 1. for REST APIs and 2. other for internal web application. As we are dealing with two different domain users so I think it is best to have separate authentication APIs for each type of user. – Saqib Mar 24 '13 at 22:13