[Catalyst] Authentication with REST and Catalyst

Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯 daxim at cpan.org
Sat Mar 12 14:14:25 GMT 2011

If you think of cobbling together your own authentication scheme, don't. You 
will make mistakes and introduce weaknesses. Use the established ones, in 
decreasing order of preference:

* TLS, e.g.
* WSSE, e.g. <http://www.xml.com/lpt/a/1337>, CPAN also has some stuff
* RFC 2617's predefined schemes, e.g.

Principally the authn could also be put in the app layer instead of the Web 
server layer, but I prefer having it at the Web server because I can more 
easily share authn across apps.

This being REST, Cookies are right out.

The WSSE article is a bit dated. One fact is not true anymore, the crypto 
handshake has been extended to so that certificates do not need their own IP 
any more, i.e. many sites can indeed be hosted at the same server. This is why 
I bumped TLS to the top.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110312/cdc83427/attachment.pgp

More information about the Catalyst mailing list