My REST-Backend is using Mozilla Persona to authenticate users. Normally you would just use cookies to authenticate any further requests but I want to use token based authentication (out of personal dislike for cookies and as an academic exercise).
I have 2 main security concerns:
- Someone getting access who has not been authenticated (solved by requiring a valid token)
- Someone getting access under a different identy than he was authenticated as (so bob@email.com cannot post data under the alias alice@email.com)
I have 2 main system requirements:
- Stateless on the server side: it shouldn't have to keep any information regarding a user inside server memory between two requests
- I want a quick (Java implementation < 100ms) authentication of any further request after the first, this makes it impossible to just verify the Persona assertion another time, or decrypting a token based on RSA or similar procedures
In my eyes this seems to be impossible (I basically want the security of digital certificates without the performance detriments related with them). But I'm open to suggestions.
I don't need to protect any valuable data which is why I'm using Persona in the first place. My primary attack case is friends of mine trying to dick around with the system. I at least want them to spend a few minutes of work to do that.
