Security on the internet takes many forms. In the context of RESTful web services and this book, we are only interested in two forms of security—securing access to web services and accessing web services on behalf of the allowed users.

What we accomplish with securing web services is the calculated control of resources. Even though most web services are publicly available, we still need to control the data access and traffic throughput. We can do both by restricting the access through subscription accounts. For example, the API access can be limited based on the number of queries a registered user could execute daily. Similarly, many other API vendors restrict the access of their APIs.

Security has two essential elements:

• Authentication: This involves verifying the identity of the user who is trying to access the application or web service. This is typically performed by obtaining the login credentials and validating them against the user details configured on the server.
• Authorization: This involves verifying what an authenticated user is permitted to do in the application or service.

In this chapter, we will take a look at the various approaches for authenticating and authorizing RESTful web services. We will start with the simplest mechanism among all of them.