Home/ Questions/Q 7086331
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T07:32:11+00:00

I’m using RESTeasy framework to develop my web service. I’ve managed to set up

  • 0

I’m using RESTeasy framework to develop my web service. I’ve managed to set up BASIC authentication, and it is working properly now. Of course, I do plan to use SSL on top of this.

The process is simple (and please read something about HTTP basic Auth if you don’t know what this is about):

  1. Every request is intercepted by a method which analyzes the request header.
  2. This header is decoded and the username and password are extracted.
  3. The method then queries the database to check if the username and password match.
  4. If they match the request proceeds, if they don’t, a 401 code is returned.

With this approach, every request implies a request to the database, due to the stateless nature of REST (and HTTP itself).

My question is: Is it possible to don’t query the database on every authenticated request?

Possible hints: Some mechanism using cookies?

This question is technologically agnostic.

Just as a side note:

I really feel that there is very little information on this REST authentication matter. It’s just OAuth, OAuth, OAuth… If we don’t want to authenticate 3rd party applications, information is scattered everywhere and there aren’t any concrete examples, like there are using OAuth.
If you have any good advises regarding Authentication in REST WebServices, I would love to hear them.

Thank you.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The answer ended up to be cache.

    In my particular case I was using RESTeasy as a REST framework and Google App Engine as the Application Server. It wasn’t hard to find out that GAE has support to memcache.

    If you’re using Objectify (you really should; it’s awesome), it’s even easier. Just annotate your entity classes with @Cached. This procedure is illustrated here.

    Objectify supports another kind of cache in a session Object. In other words, as long your Objectify object is instantiated, it can provide your objects even without using memcache (This is good because in GAE there quotas for using memcache, although they are cheaper than the datastore ones). I strongly advise you to read Objectify’s good practices in their wiki.

    As a final note, I’ll consider using Digest authentication instead of Basic. It seems much more secure. The fact that the password never travels through the network really reliefs me.

    I hope that this SO question was useful to someone and for those who helped me: thank you. 🙂

    • 0