[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RESTful, Secure, Non-SSL Authentication
Hi, Speaking of authentication... :) I have been playing around with some ideas for a RESTful, secure login. What do you think? General 1. JavaScript is required on the client (and server) 2. Client and Server share the same JavScript hash (sha1) code. Server: * appSessions: A 2 dimensional array (for java, java.util.TreeMap) [[timestamp, someRandomThing]] with length=30 (default, but modifiable) which has the oldest entry removed and a new entry added every minute. In other words, the length of the array is the server side timeout. Perhaps 'someRandomThing' needs to come from a central authority for load balancing?? This has nothing to do with client state - so it's RESTful, right? Client: * Ability to use custom login form * Ability to logout by submitting login form with invalid credentials * Ability to forget/reset password GET request for secure resource from unauthenticated user 1. remoteIp: get the remote IP 2. mostRecentEntry: get the most recent entry from the 2d array * timestamp * someRandomThing 3. salt: sha1(remoteIp + someRandomThing) GET response 4. send auth request back to client with the following headers: * STAMP = timestamp * BITE = salt * REALM = something * CODE: 3 // log in tries?? 5. client stores the headers with JavaScript 6. client/user interaction a. Present login form - page/thickbox/whatev... b. user enters username and password -> submits form c. credentials: sha1(BITE + sha1(username:REALM:password)) d. send GET request: { headers: { STAMP: STAMP, CREDS: credentials, CODE: 3 // log in tries?? } parameters: { username: username } } GET Auth request 7. use the STAMP header to get 'someRandomThing' if it still exists (otherwise user session has timed out) 8. salt: sha1(remoteIp + someRandomThing) 9. existingCreds = user.getCredentials() 10. if (CREDS == sha1(salt + existingCreds)) { redirect to secure resource } else { send error unauthorized send auth request back to client with the following headers: * STAMP = timestamp * BITE = salt * REALM = something * CODE: 2 // log in tries?? } QUESTION: Will the client remote IP be the same between request- >response->request?? [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|