Skip to content

Api Key Authentication

Jump to bottom Edit New page
sheldonabrown edited this page Jul 30, 2013 · 2 revisions

OneBusAway provides a convenient mechanism for authenticating and authorizing user requests.

At a high level it works like this:

  1. A user requests an API key from the specific agency
  2. An administrator from the agency generates and stores an API key in the OneBusAway user database (via the API Key Webservice ). The administrator delivers this API key to the user
  3. A user makes an HTTP request using this API key
  4. The system intercepts the request and verifies the API key is valid (if configured for this resource)
  5. The system ensures this key was not seen since a configurable interval
  6. This system processes the corresponding URL and returns the results

Read further if you are interested in the implementation of this mechanism.

  1. An HTTP request is made for a specific URL
  2. Struts dispatcher maps the URL to an internal resource
  3. Struts dispatcher evaluates and invokes any interceptors configured for this resource
  4. ApiKeyInterceptor is one of those configured interceptors. It is loaded an invoked
  5. ApiKeyInterceptor confirms that this resource requires authentication (Java annotations are used to indicate methods/webservices that explicitly require authentication)
  6. ApiKeyInterceptor looks for a key as a parameter
  7. ApiKeyInterceptor asks the KeyService if this key has access to the requested resource
  8. ApiKeyPermissionServiceImpl compares the key against keys in the database
  9. ApiKeyPermissionServiceImpl tests to see if the request using this key was made after a configurable wait period to protect resources

Should any of the above tests fail, access to the resource is denied.

Add a custom footer
Add a custom sidebar
Clone this wiki locally