Closed tom10271 closed 10 years ago
Hi Tom,
you can't reuse nonces (well, you can outside the lifetime while using the provided commands to clean up expired nonces) so you should push a unique one on each request.
Here's a link to an API-bundle we use as a base for all our API-clients, based upon requestcore/curl: https://github.com/escapestudios/EscapeAPIClientBundle. Especially have a look at https://github.com/escapestudios/EscapeAPIClientBundle/blob/master/REST/Request.php's execute-method for the X-WSSE-header. It might be useful to make your own implementation...
Re: single page If I understand correctly you'd like different users to have different access to your API, right? WSSE is perfect for that, but you'll (obviously) have to make sure to set up different users within their groups/roles so that you can use this to secure your different calls. No need to say that they will have to provide the X-WSSE header to each request.
I'll definitely keep your questions and comments in mind when working on some documentation/examples for the bundle.
Hope this helps!
Kind regards, David
Hi @tom10271,
how are you getting on?
Thanks in advance for your feedback!
Kind regards, David
I'll close this issue for now, do let me know if you are still running into problems though...
Kind regards, David
I don't know why I am unable to reuse the nonce and I have set the lifetime for nonce to be 5184000 already.
Here is my config.yml:
config.yml
I have another question that I am building a single paged website that will keep requesting my REST API developed with FOSRestBundle. However different resources require different privileges that user needs to be logged first.
For testing, if my REST API is secured by HTTP authentication, I cannot test it with REST client. If I use WSSE, I can test the service but it is complicated to use over webpage.
Should I use WSSE for authenticating users or HTTP authenticating would be better? WSSE seems not quite suuitable for webpage. Or if I can authenticate user and give them a token in WSSE if user is logged in?
Thanks for helping.