Loading ...
Sorry, an error occurred while loading the content.

3661Re: [rest-discuss] Why do I care about visibility?

Expand Messages
  • Roy T. Fielding
    May 5, 2003
    • 0 Attachment
      > I am wondering how much thought you have put into application
      > security and how it fits in with REST.

      Bunches.

      > Do you have a model for how
      > application security should be done? Has there been an exploration
      > of how application security affects other REST guidelines? It
      > seems like supporting access control has ramifications for many
      > parts of REST, the most well-known effect being the interplay of
      > HTTP Auth and caching. It seems that if not done carefully,
      > access control could negate many of the benefits of REST. What are
      > your thoughts?

      Even if it is done carefully, access control does negate some goals
      of REST (shared caching in particular). However, it doesn't negate
      the benefits of the model: a given security model can be analyzed
      to see how it affects applications that are attempting to communicate
      using the REST model, and then improved based on those observations.
      Likewise, security models can learn from the lessons of REST in order
      to improve their efficiency.

      I think it is very important to note that the REST model is not ideal
      for all applications, and that various aspects of security (access
      control, authentication, authorization, accounting, and privacy of
      communication) will place requirements on the architecture that need
      to be addressed in the interaction model.

      Most sites address this issue by separating secure services from the
      services that need higher scalability. This is hampered somewhat by
      the goofy way that WWW browsers warn about "secure" sites containing
      "insecure" embedded content. Likewise, just about every variation on
      securing web sites is damaged in one way or another by browser
      behavior, which is why sites currently use cookies as authenticators.

      I should note that the big conflict between REST and security models
      is the fact that REST does not allow for sessions. What needs to be
      understood is that sessions are bad for security models too -- they
      cause most of the denial-of-service and man-in-the-middle attacks
      to be possible. What is needed is an efficient, session-free means
      of authenticating that is more secure than username/password, which
      is actually an easy problem to solve if you don't try to solve all
      of the security problems at once. What is blocking that is the need
      to negotiate security mechanisms before engaging in secure
      communication, which is currently done within a session.

      ....Roy
    • Show all 10 messages in this topic