11

I'm developping a REST API and I need to tranport cryptograms to authenticate the message for each request in a applicative process (MAC encryption from secret keys). I was thinking about putting them in the message header to avoid adding non-data information in the message body which contains the posted/retrieved object (XML or JSON).

Is it a best practise ?

Can I add as many parameters I want in the header ? I've read that I must prefix them with "x-". The behavior of this parameter is exactly the same than Path or Query params ?

I'm using Jersey.

Thank you for you help.

Zofren
  • 1,190
  • 2
  • 11
  • 22
  • Additonnal question : is it better to use existing header parameters (Date, Authorization) or to create specific ones (x-app-date, x-app-auth) ? – Zofren Oct 11 '10 at 13:20

1 Answers1

11

  1. Yes I believe it is acceptable to have header parameters to transfer certain data. The JAX-RS standard even defines the @HeaderParam annotation. Simple example of @HeaderParam.

  2. It is a convention to prefix non-standard http headers with "x-".

I had a similar situation to yours: I needed to transfer user token and application ID with every REST call. To avoid code duplication I implemented PreProcessInterceptor (I'm using Resteasy), through which all REST requests are routed. If user token is not valid and if user does not have privileges to given application ID, then I return 401 unauthorized. My code looked similar to this (simplified version):

@Provider
@ServerInterceptor
public class RestSecurityInterceptor implements PreProcessInterceptor {

    @Override
    public ServerResponse preProcess(HttpRequest request, ResourceMethod method) 
           throws UnauthorizedException {

        String token = request.getHttpHeaders().getRequestHeader("token").get(0);

        // user not logged-in?
        if (checkLoggedIn(token)) {
            ServerResponse response = new ServerResponse();
            response.setStatus(HttpResponseCodes.SC_UNAUTHORIZED);
            MultivaluedMap<String, Object> headers = new Headers<Object>();
            headers.add("Content-Type", "text/plain");
            response.setMetadata(headers);
            response.setEntity("Error 401 Unauthorized: " 
                 + request.getPreprocessedPath());
            return response;
        }
        return null;
    }
}
Peter Knego
  • 79,991
  • 11
  • 123
  • 154
  • Thank you. The Interceptor solution is elegant but my authentication process is not generalized in all my application. – Zofren Feb 21 '11 at 07:18