Nov 28th, 2010, 05:16 AM
Replacing basic authentication
We currently use basic authentication to secure REST web services but my boss wants something more secure. In the usual boss manner, he just vaguely mentioned OAuth and left it at that
I've looked around but can't find any examples of how to do this, all I can tell is that perhaps the two-legged approach will work. Can anyone point me to anything that would help? Any insight would be useful at this point.
Nov 29th, 2010, 10:33 AM
So I wouldn't necessarily say that OAuth is "more secure" than HTTP Basic Auth (assuming over SSL, of course). OAuth has a different purpose, specificallly for delegated access. Perhaps before you start applying OAuth instead of HTTP Basic, you could get more clarity from your boss about what he means by "more secure".
But to answer your question, disabling HTTP Basic Auth and enabling OAuth is a pretty simple thing to do. Just disable the HTTP Basic filter and enable the OAuth filter. The best candidates for replacement of HTTP Basic Auth would probably be 2-legged OAuth or OAuth 2 "native application" profile.
Nov 30th, 2010, 02:41 AM
Thanks for the reply. I agree, a little more specification of what's required would be useful
In the meantime, I'll have a go at what you suggest.