Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
ManifoldCF 1.8.2, ManifoldCF 2.0.2
-
None
Description
Best practices, as far as I can tell, are here:
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
RESTful web services should use session-based authentication, either by establishing a session token via a POST or by using an API key as a POST body argument or as a cookie. Usernames, passwords, session tokens, and API keys should not appear in the URL, as this can be captured in web server logs, which makes them intrinsically valuable.
There's nothing intrinsically wrong with using standard web application session management as a means of managing sessions. The only potential complication is the java session ID on the URL – but that can be disabled at the web application level.
The other complication is session expiration. Sessions must eventually expire; we will need to signal that by returning a 403 HTTP code should that occur.
In order to make this work, we need to add a LOGIN post request, whose job it is to establish a session and verify credentials. The credentials can be placed in the properties.xml file for now, as is done for the web UI. ALL requests to the API must verify the contents of the credentials bean in order for this to work. This can be done by simply coding the check at the API's servlet implementation.