Why do we need REST service security if we have HTTPS

Posted by Vangel on Programmers See other posts from Programmers or by Vangel
Published on 2011-06-13T01:56:45Z Indexed on 2012/10/12 9:50 UTC
Read the original article Hit count: 281

Filed under:

I refer to this excellent article http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/ which speaks of amazon like security for web service. However I was asked a question in the team of why do we need it if we already use HTTPS. I was unable to answer as it really seems to me they may be right although gut tells me otherwise.

Also is there places when providing REST services where HTTPS may not work? Like 3rd party websites?

If anyone has experience in securing Web Services over the public interwebs please shed some light with your experience.

Thanks in advance.

EDIT: To clarify I am not speaking of user authentication but more of client authentication. The user authentication can be assumed to be plain text over HTTPS+ REST.

My worry is that this still allows anyone to use the web service without my client to access it since everything is plai text although over HTTPS the client end point can still use my web service without the client application.

© Programmers or respective owner

Related posts about rest