The State of Authenticating RESTful APIs

Track: Web
Skill Level: Beginner
Room: Room A402-403
Time Slot: Tue 2/16, 5:30 PM
Tags: rest , web , spring , security
Abstract

The many benefits of a RESTful architecture has made it the standard way in which to design web based APIs. For example, the principles of REST state that we should leverage standard HTTP verbs in order to help keep our APIs simple. Server components that are considered RESTFul should be stateless which help to ensure that they can easily scale.

However, the best practices of REST and security often seem to clash. How should sensitive information be transmitted in RESTful APIs? How should a user be authenticated in a stateless application? How is it possible to design an API so it is both secure and RESTful? Securing RESTful endpoints is further complicated by the the fact that security best practices evolve so rapidly.

In this talk Rob will explore various ways to perform authentication in RESTful APIs. Along the way we will clear up misconceptions, explore common pitfalls, and discover new insights into authentication.

Rob Winch

Rob Winch is the project lead of the Spring Security, Spring Session, and Spring LDAP projects. He is also a committer on the core Spring Framework, co-author of the Spring Security 3.1 book, and enjoys presenting about anything technical. In the past he has worked in the health care industry, bioinformatics research, high performance computing, and as a web consultant. When he is not sitting in front of a computer he enjoys playing the guitar.