[Catalyst] Authentication with REST and Catalyst
Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯
daxim at cpan.org
Sat Mar 12 14:14:25 GMT 2011
If you think of cobbling together your own authentication scheme, don't. You
will make mistakes and introduce weaknesses. Use the established ones, in
decreasing order of preference:
* TLS, e.g.
<http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol>
* WSSE, e.g. <http://www.xml.com/lpt/a/1337>, CPAN also has some stuff
* RFC 2617's predefined schemes, e.g.
<http://httpd.apache.org/docs/2.0/mod/mod_auth.html>,
<http://httpd.apache.org/docs/2.0/mod/mod_auth_digest.html>
Principally the authn could also be put in the app layer instead of the Web
server layer, but I prefer having it at the Web server because I can more
easily share authn across apps.
This being REST, Cookies are right out.
The WSSE article is a bit dated. One fact is not true anymore, the crypto
handshake has been extended to so that certificates do not need their own IP
any more, i.e. many sites can indeed be hosted at the same server. This is why
I bumped TLS to the top.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110312/cdc83427/attachment.pgp
More information about the Catalyst
mailing list