Simple HTTP Access Authorisation

sometimes you may want to lock down RESTful APIs or plain HTTP GET resources for authorised access by your own client software only, without requiring authentication. You don’t know who (not authenticated), but you know she may access (is authorised).

If the server has a valid SSL certificate based on a root certificate pre-installed on the iPhone among the simplest ways to do it are:

Decompiling an App may raise the bar high enough though hard-coded secrets surely aren’t bulletproof Secret Service grade quality. If you don’t want the password or secret token as literal string inside the App, synthesize it at runtime.

If your transport channel isn’t confidential (e.g. plain HTTP, not HTTPS) you might think about Digest Authentication or a custom implemented CRAMish mechanism which I will not go into in this post.

P.S.: Here are some really nice .htaccess examples.

Flattr this!

Post a Comment

Your email is never published nor shared. Required fields are marked *