Thanks for reading.

I would like to develop a secure web application with jQuery as the front-end and .NET MVC as the server-side with its functionality expressed in RESTful web services. At this point I'm trying to envision the security scheme that I will use but I wanted some advice on best practices (obviously I will use https/ssl, but there's more to it than that of course).

I have always been a fan of the secret-key approach so I was racking my brain trying to figure out how to employ it in this type of web application architecture but I'm at a loss. Basically, a secret key would be generated and placed both on the server as well as given to the client (so the key is never sent across the wire), and each client request must be digitally "signed" with this key. This would be in addition to the typical username/password/session-id structure you usually see in web apps.

My problem is the actual storage of the secret key on the client. Since the jQuery file is just .html sitting on the server, there is no way for it to access a secret key file in a directory outside of the virtual web directory. And placing the secret key file on a public web site wouldn't make it too much of a secret. :)

Here is how I would like it to work:

1. At a certain interval (5-15 minutes), a back-end process generates a secret key and places it both in the back-end database, as well as in a file in a non-public location on the web server.
2. When the client makes a request, it would read from the key file and then digitally sign the request with the secret key.
3. The server receives the request and decodes it with the secret key.

But obviously #2 is the problem, because there's no way to access a "secret" (i.e. non-public) file via javascript.

Am I being too paranoid? The secret key approach is nice because it has another level of security above and beyond username/password (the attacker would need the secret key AND a valid username/password), and if I regenerate the key every 5 minutes the risk is mitigated if a secret key would leak. This also ensures that all requests are made from a "certified" client. But I don't see how it is possible using non-compiled code such as html/jQuery.

Does anyone have any suggestions or articles on RESTful web service security methods?

Thanks :)

Vince

If you haven't already, I'd recommend some reading on OAuth 1.0 and 2.0. They are both used by some of the bigger API, such as Facebook, Netflix, Twitter, and more. 2.0 is still in draft, but that hasn't stopped anyone from implementing it and using it as it is more simple for a client to use. It sounds like you want something more complicated and more secure, so you might want to focus on 1.0.

I always found Netflix's Authentication Overview to be a good explanation for clients.

And a quick Googling gives this post: How-to: Secure OAuth in JavaScript