Cloud Zone
Did you know? DZone has great portals for Python, Cloud, NoSQL, and HTML5!
Cloud Zone is brought to you in partnership with:

Mark O'Neill is CTO of Vordel and author of the McGraw-Hill book "Web Services Security." He is a frequent speaker at conferences including Java One, and the RSA Security Conference, and Oracle Open World. Mark is based on Boston, Massachusetts. Mark is a DZone MVB and is not an employee of DZone and has posted 25 posts at DZone. You can read more from them at their website. View Full User Profile

Securing APIs

03.24.2011
Email
Views: 2262
  • submit to reddit
The Cloud Zone is presented by DZone and Microsoft. Let our tutorials, design patterns, and news guide you through the maze of constantly increasing cloud solutions.  Microsoft has a host of tools to let you deploy Node.js, PHP, and Java apps on their Windows Azure platform.

Related MicroZone Resources

FREE 3 Month Azure Trial

Windows Azure PHP Dev Center

Node.js Cloud Development SDK

Java on the Cloud: Azure JDK

PHP for Azure: CL Tools & Client Library

Like this piece? Share it with your friends:

| More

One of the key questions which comes up in API Management is about which authentication scheme to use. Gunnar Peterson has written, in a different context, about the benefit to the security architect of providing a menu of authentication schemes to use. Some clients are limited by what authentication scheme they can handle, and by providing a "menu" of authentication schemes at the API Gateway level, this can be handled. Within a policy (expressed as a "circuit" in the Vordel Gateway) you can handle clients differently depending on how they authenticated.

So which API authentication schemes are on the "menu"? Of course there is HTTP Digest Auth and mutual SSL. But there are specific API authentication schemes similar to Amazon's Query API authentication. If you want to learn more about this API authentication option, then on the Vordel website there is a video example showing API authentication for iPhone apps and Facebook as clients.

If you push the video on to the 20 minute mark, and listen for a few minutes, you can learn about how the Vordel Gateway provides the API security, making use of HMAC digests with SHA1. If you're familiar with the Amazon Web Services Query authentication, you will recognize this:


So the options for API authentication balance flexibility (providing customers with a menu of authentication options) and security (policies which vary access depending on which scheme the client uses). A Gateway provides this balance, versus hardcoding the scheme into the API itself.

References
Reference: 
Securing APIs
Published at DZone with permission of Mark O'neill, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Whether it's IaaS or PaaS, there are many options and features for developers to consider when deploying applications to cloud environments.  Cloud Zone is your trusted guide through the jungle of diverse cloud solutions. Get clear cut information on solutions like Windows Azure, open and flexible cloud platform to develop, deploy and manage applications on Microsoft's datacenters.  You can see how well your apps run on Azure with their free 3 month trial.
Controlling complexity is the essence of computer programming.
— Brian Kernigan