0

I need help for the design of my web app. I want to do a REST web service that needs authentication, and a web app that access this web service to get the data. All the users are stocked in an external database (like openldap, active directory, or whatever).

 _____________        __________________
|             |      |                  |
|   web app   |----->|   REST service   |
|_____________|      |__________________|

                      _______________
                     |               |
                     |    user db    |
                     |_______________|

The question is: do I need to make the authentication on the web app and the web service, or can the web app verify the login through the web service?

Hope my question is understandable enough

EDIT : to clarify the situation: my web service is standalone and any kind of applications could access it (like web app, smartphone app, curl, etc...). I think my question needs clarifications too. I want to know if it's possible to make all the authentication logic in the service. I imagine something like that:

  1. The app queries the ressource http://mywebservice.com/login with an HTTP basic authentication
  2. If the credentials are valid, the response will be something like {"loginStatus":true}, or false if they're invalid.

Is it a possible solution? Is it secure?

Raedwald
  • 46,613
  • 43
  • 151
  • 237
loics2
  • 616
  • 1
  • 10
  • 24
  • Is the REST Service planed a stand alone Service which is accessible to any user which can access the host of the REST Service or is it some kind of middleware / backend for the web app? – andih Jun 20 '13 at 12:22
  • Yeah the service is planned to be standalone – loics2 Jun 20 '13 at 12:25
  • What I'm trying to understand is: Should it only be possible to access the data returned by the rest service via a WEB Interface (web app) or should it also be possible for any authorized to query the raw data via the rest service api (for example by using curl: `curl -H "Accept:application/json" http://mywebapp.example.net/rest/myresource?start=1&end=99999999` ). – andih Jun 20 '13 at 13:33
  • Yeah it's planned to be accessible to any kind of app, not only a web app – loics2 Jun 20 '13 at 13:43
  • In this case your rest service may need something like an Authorization Header [http://en.wikipedia.org/wiki/Basic_access_authentication]. Your web appplication can provide some login box and use the Authorization Header to gain access to the rest resources. If the user is not logged in (Authoization Header is missing) the rest service returns a HTTP Status Code 403 - Forbidden and the user has to login via web app or what ever. – andih Jun 20 '13 at 13:58
  • I just edit my question, I thought it needed some clarifications – loics2 Jun 20 '13 at 14:12
  • 1
    First you may should have a look at http://stackoverflow.com/questions/4608225/how-do-i-implement-login-in-a-restful-web-service. The second thing is you have to think about how to save / validate the authentication token and how to pass it when accessing your web service. – andih Jun 20 '13 at 15:21

1 Answers1

0

The first thing..."do I need to make the authentication on the web app and the web service, or can the web app verify the login through the web service?" ......Both are possible...depends upon your choice and implementation. But to make the flow uniform in all cases to use DB, the call from web app should go to web service as you shown in diagram. I think while login, the client should call web app server and the web app calls to web service to look into DB for checking the credentials.

There can be many ways..sometimes web app use AJAX heavily and from client itself they call the REST service directly to get data or to check the credentials.

Praveen Prajapati
  • 969
  • 1
  • 16
  • 21
  • 1
    Thanks for your answer. I think I'll do everything trough the web service as you advise. And Thanks to @andih who helped, me in the comments – loics2 Jun 26 '13 at 07:43