I can't speak for "EGL and other environments", but in general any good developer who designs services whether REST, SOAP or whatever new flavor comes along must think about security, regardless of language and platform.
If a real REST service is: "like having a totally free Command Line in 5250", then it sounds like "real REST services" are very dangerous to deploy :-)
In the REST-style applications I have written, the application is secured based on functionalities/actions/services a user can do. And I have written REST-style service applications using RPG-CGI as well as JSP and ASP.Net.
In fact I didn't realize I was doing REST-style applications until the term was coined during the last few years :-)
I just felt I was creatively hacking my way around the complexities of SOAP because the iSeries didn't have a good SOAP interface to other platforms.
The trick is to create an enviroment where any program (service) that can be reached from the outside is protected not only by a session id but also by the server has granted permission for the client to run it with the limitation the server also grants - e.g. you are allowed to delete this order but you are not allowed to delete *ALL
I would hope any developer who is writing REST-style applications has thought of securing the application based on actions allowed and user-level business functionality. If not, they shouldn't be writing services in any language :-)
Another comment on sessions. If you create a session ID, using a combination of a GUID or some other unique identifier coupled with IP address can work quite nicely.
Regards,
Richard Schoen
RJS Software Systems Inc.
Where Information Meets Innovation
Document Management, Workflow, Report Delivery, Forms and Business Intelligence
Email: richard@xxxxxxxxxxxxxxx
Web Site:
http://www.rjssoftware.com
Tel: (952) 736-5800
Fax: (952) 736-5801
Toll Free: (888) RJSSOFT
------------------------------
message: 6
date: Mon, 22 Nov 2010 02:07:27 +0100
from: Henrik R?tzou <hr@xxxxxxxxxxxx>
subject: Re: [WEB400] IBM i in the cloud (was social media)
Richard,
HTTPS does provide some security,
but a real REST enabled application is like having a totally free Command
Line in 5250,
enter PWRDWNSYS and the system will do as it is told.
The trick is to create an enviroment where any program (service) that can be
reached from
the outside is protected not only by a session id but also by the server has
granted permisson
for the client to run it with the limitation the server also grants - e.g.
you are allowed to delete
this order but you are not allowed to delete *ALL
You may be able to retreive data from this service - but it is limited to
your own - this is what
the security layer should be able to do - and this is what EGL and other are
not in general able
to do.
midrange.com
