OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
RESTful, Secure, Non-SSL Authentication


Speaking of authentication... :) I have been playing around with some  
ideas for a RESTful, secure login.

What do you think?


     1. JavaScript is required on the client (and server)
     2. Client and Server share the same JavScript hash (sha1) code.

       * appSessions: A 2 dimensional array (for java,  
java.util.TreeMap) [[timestamp, someRandomThing]] with length=30  
(default, but modifiable) which has the oldest entry removed and a new  
entry added every minute. In other words, the length of the array is  
the server side timeout. Perhaps 'someRandomThing' needs to come from  
a central authority for load balancing?? This has nothing to do with  
client state - so it's RESTful, right?

       * Ability to use custom login form
       * Ability to logout by submitting login form with invalid  
       * Ability to forget/reset password

   GET request for secure resource from unauthenticated user

     1. remoteIp: get the remote IP
     2. mostRecentEntry: get the most recent entry from the 2d array
       * timestamp
       * someRandomThing
     3. salt: sha1(remoteIp + someRandomThing)

   GET response

     4. send auth request back to client with the following headers:
       * STAMP = timestamp
       * BITE = salt
       * REALM = something
       * CODE: 3 // log in tries??
     5. client stores the headers with JavaScript
     6. client/user interaction
       a. Present login form - page/thickbox/whatev...
       b. user enters username and password -> submits form
       c. credentials: sha1(BITE + sha1(username:REALM:password))
       d. send GET request: {
         headers: {
           STAMP: STAMP,
           CREDS: credentials,
           CODE: 3 // log in tries??
         parameters: {
           username: username

   GET Auth request

     7. use the STAMP header to get 'someRandomThing' if it still  
exists (otherwise user session has timed out)
     8. salt: sha1(remoteIp + someRandomThing)
     9. existingCreds = user.getCredentials()
     10. if (CREDS == sha1(salt + existingCreds)) {
       redirect to secure resource
     } else {
       send error unauthorized
       send auth request back to client with the following headers:
       * STAMP = timestamp
       * BITE = salt
       * REALM = something
       * CODE: 2 // log in tries??

QUESTION: Will the client remote IP be the same between request- 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS