Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Catalyst: Users

RESTful authentication

  

 
Catalyst users RSS feed   Index | Next | Previous | View Threaded


christian at lackas

May 21, 2009, 2:25 AM

Post #1 of 3 (357 views)
Permalink
RESTful authentication
* Ivan Wills <ivan.wills[at]gmail.com> [090521 09:23]:

Hi Everybody,

I already did some googling, but did not find a satisfying answer yet.
What is state-of-the-art approach to control access to REST resources.
For the regular (browser based) web interface, I use Catalyst's
Authentication, Authorization::Roles and Authorization::ACL, which is
session and thus cookie based; thus does not fit REST.
So I looked into providing user information in the URL, such as

http://user:pass[at]host/webdisk/data/path/to/file

(for which I found Apache Rewrite rules to pass this information down to
Catalyst via FastCGI), however, I am not so convinced of this approach.
Would it still be considered RESTful, if I issue an auth token, e.g.
via

http://user:pass[at]host/webdisk/login/username/password (retuning token)

and then use nouns such as

http://user:pass[at]host/webdisk/TOKEN/data/path/to/file

Does Catalyst provide any plugins for this? Could not find anything on
CPAN.

Thanks for your input
Christian


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


bobtfish at bobtfish

May 21, 2009, 3:06 AM

Post #2 of 3 (338 views)
Permalink
Re: RESTful authentication [In reply to]
Christian Lackas wrote:

> I already did some googling, but did not find a satisfying answer yet.
> What is state-of-the-art approach to control access to REST resources.

When you say 'REST resources', I'm guessing you mean some sort of API,
rather than a normal person facing site which happens to be restful..

Use HTTP headers.

> http://user:pass[at]host/webdisk/data/path/to/file

I think that's very ugly, but workable.

>
> http://user:pass[at]host/webdisk/TOKEN/data/path/to/file

This is horrible if the TOKEN changes.

> Does Catalyst provide any plugins for this? Could not find anything on
> CPAN.

I just use HTTP basic or digest auth.

Works well, very standard, no messing around, supported by everything..

Of course, just making a /login URI which returns you a cookie you
provide back to other URIs to get access isn't directly non-RESTFul in
itself...

Cheers
t0m


_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


diment at gmail

May 21, 2009, 3:25 AM

Post #3 of 3 (336 views)
Permalink
Re: RESTful authentication [In reply to]
On 21/05/2009, at 8:06 PM, Tomas Doran wrote:

> Christian Lackas wrote:
>
>> I already did some googling, but did not find a satisfying answer
>> yet.
>> What is state-of-the-art approach to control access to REST
>> resources.
>
> When you say 'REST resources', I'm guessing you mean some sort of
> API, rather than a normal person facing site which happens to be
> restful..
>
> Use HTTP headers.

Just to be completely clear, t0m means
Catalyst::Authentication::Credential::HTTP





>
>
>> http://user:pass[at]host/webdisk/data/path/to/file
>
> I think that's very ugly, but workable.
>
>> http://user:pass[at]host/webdisk/TOKEN/data/path/to/file
>
> This is horrible if the TOKEN changes.
>
>> Does Catalyst provide any plugins for this? Could not find anything
>> on
>> CPAN.
>
> I just use HTTP basic or digest auth.
>
> Works well, very standard, no messing around, supported by
> everything..
>
> Of course, just making a /login URI which returns you a cookie you
> provide back to other URIs to get access isn't directly non-RESTFul
> in itself...
>
> Cheers
> t0m
>
>
> _______________________________________________
> List: Catalyst[at]lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/



_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Catalyst users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.