users@jersey.java.net

Re: [Jersey] Authentication and Cookies

From: Imran M Yousuf <imyousuf_at_smartitengineering.com>
Date: Wed, 13 Oct 2010 11:03:58 +0600

Hi Micheal,

On Wed, Oct 13, 2010 at 10:43 AM, Michael McCutcheon
<michael.mccutcheon_at_att.net> wrote:
> <skip />
> Some general questions:
>
> 1 - Is it a normal pattern to pass the authentication header over and over
> for the same user making multiple calls to service methods?  Is there a way
> to make it so that this header only needs to be passed once for a given
> period of time?
>

Yes it is normal as server is stateless it is not suppose to remember
credentials from previous requests and should handle each request
independent of the last one. Where as your client can remember the
credentials having user (a person or program) not having to pass it
everytime unless s/he/it wishes to change the credentials.

> 2 - For some of the service methods that don't change data (i.e. GET based
> calls), I still need the userid of the user making the call.  What is the
> best way to pass this?  A value in a cookie?  If so, should it be encrypted
> to prevent cross site scripting attacks?
>

Well, there can be various ways of interpreting to determine the
"best" way for your cause. For example if your GET by user represents
a search you might consider passing the user id as query parameter.
Where as if your userid represents a directory or container of data
(e.g. tweets, feeds) you might consider it as PathParam. Now coming to
the point of cross site scripting you may use the Entity Tag if you
have to or a API Key concept or any other concept suiting you best :).
If I want my web service URI to not be templateable easily one way is
to encrypt+base64 the path params when exposing it and decrypt it to
understand the resource in query. To a web service consumer the URI is
meaningless as it is supposed to discover it against forming it.

Regards,

Imran

> Just looking for some general guidance for how/when to use the
> Authentication headers, cookies, etc.
>
> thanks,
> Mike
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>
> 



-- 
Imran M Yousuf
Entrepreneur & CEO
Smart IT Engineering Ltd.
25/5B, Block F, Haji Chinu Miah Road Bylane
Joint Quarter, Mohammadpur
Dhaka - 1207, Bangladesh
Email: imran_at_smartitengineering.com
Twitter: @imyousuf - http://twitter.com/imyousuf
Blog: http://imyousuf-tech.blogs.smartitengineering.com/
Mobile: +880-1711402557
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.