[play-pac4j] Protecting REST Endpoints
115 views
Skip to first unread message
andrew
Mar 2, 2016, 6:21:36 PM3/2/16
to pac4j-users
I understand from the documentation, to protect my own REST endpoints in Play framework, I would need to make use of a Direct (stateless) client. I'm unsure which client would best suit this purpose - any suggestions by the community based on their experience? Pro's/Con's of when I should one direct client over the other?
andy
Jérôme LELEU
Mar 5, 2016, 4:21:36 AM3/5/16
to andrew, pac4j-users
Hi,
Correct. For REST endpoints (where credentials will be passed for every request), you should use a direct client: it defines the way to get your credentials (from a basic auth, from a single request parameter, from a cookie, from a header...) and the attached authenticator will validate your credentials.
So it depends on the credentials you have and the way to validate them. One security consideration is to avoid sending sensitive parameters in the urls (like password), the performance consideration is to avoid validating the credentials for each request using the LocalCachingAuthenticator as a wrapper for your authenticator.
Common scenarios:
1) I have application credentials, already known by the caller: they are passed via basic auth (DirectBasicAuthClient) or POST as a form (DirectFormClient) and validate against a database (DbAuthenticator), a LDAP (LdapAuthenticator)..., the authenticator being wrapped by a LocalCachingAuthenticator.
2) I have a user who authenticates via a UI and then, I turn his identity into a JWT token I can use to call a REST endpoint (ParameterClient with a JwtAuthenticator).
Thanks.
Best regards,
Jérôme
2016-03-03 0:21 GMT+01:00 andrew <iamandre...@gmail.com>:
I understand from the documentation, to protect my own REST endpoints in Play framework, I would need to make use of a Direct (stateless) client. I'm unsure which client would best suit this purpose - any suggestions by the community based on their experience? Pro's/Con's of when I should one direct client over the other?andy
--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages