I am using RESTeasy framework to build up my web service. I have handled to setup Fundamental authentication, which is working correctly now. Obviously, I actually do intend to use SSL on the top of the.
The operation is simple (and please read something about HTTP fundamental Auth if you do not understand what this really is about):
- Every request is intercepted with a method which evaluates the request header.
- This header is decoded and also the account information are removed.
- The technique then queries the database to see if the account information match.
- When they match the request proceeds, when they don't, a 401 code is came back.
With this particular approach, every request suggests a request towards the database, because of the stateless character of Relaxation (and HTTP itself).
My real question is: Can you really don't query the database on every authenticated request?
Possible hints: Some mechanism using snacks?
This is technologically agnostic.
Just like a side note:
I truly believe that there's hardly any info on this Relaxation authentication matter. It is simply OAuth, OAuth, OAuth... When we don't wish to authenticate third party programs, details are scattered everywhere and there isn't any concrete good examples, like you will find using OAuth. For those who have worthwhile recommends regarding Authentication in Relaxation WebServices, I would like to hear them.
You will find other ways to implement an "Auth Ticket" (google might you'll most likely find some non-OAuth references) with snacks to ensure that its not all request takes a database query. However, these usually involve a crypto key.
I am not believing that guidelines ought to be to keep crypto type in the origin files (but this is the way lessons usually implement it), so you may incorporate some kind of disk access (via qualities file, keystore, etc) even when you do not query a database.
As Perception states, adding snacks (condition) to some stateless system design is kind of cheating.
Use something similar to memcached being an intermediate for your database. See if qualifications are cached, if they're follow the request, if they're not cached, pull them in the database and verify the qualifications. When the qualifications match cache them for future demands and follow the current one.
Bear in mind that use of memchaced should be as secure as use of your database because it hass passwords saved inside it. This is among the reasons A lot of sites are utilizing OAuth, especially OAuth 2 in which you hands out a brief resided access token along with a lengthy resided refresh token which get a brand new access token if needed.
Welcome to everything about Representational Condition Tranfer Security! You realize, I sent a note to Roy Fielding asking the way you could produce a truly Peaceful service which was also secure. He has not become to me yet.
Your two options actually are Fundamental Auth (hopefully using SSL, or what is the point), or OAuth. For the solutions I'm presently associated with we're using OAuth. Although it reduces testing it's very secure and enables us to produce externalizable API's from our services.
I advice against using snacks to keep session information. Besides this violate the spirit of Relaxation, it reveals the application to session hijacking. One factor that can be done to quicken things is conserve a good second level cache with user information, to ensure that your queries don't really hit the DB for each incoming demands. This could provide a significant speed boost. This plan works as well for fundamental auth and Oauth.