http - Is a three-tiered architecture with REST-like Business Logic possible or viable for secure web applications? -

So not only answer this question, but feel free to throw ideas or improvements.

Business logic level :

<

Have done that the devices can prepare their own custom UI and tap in functionality such as REST, using GET, POST, and not interacting with the server. They are.

Issue 1:

The problem is how do you protect user's information? You can authenticate the user to an SSL connection and return a special hush so that users can manipulate their account, but if listening on a network, then whatever they want to do, they will call for a rest call Hears and HSH steals. One solution is that all the remaining calls should be on SSL, but this causes another problem.

Problem 2:

If the rest of the processes are in SSL, the browser must use SSL for everything that I think is slow and cumbersome Can be unnecessary when it is unnecessary. Apart from this, SOP makes it impossible to use SEL Ajax calls for REST processes from an unsafe browser. HTTP and HTTPS are considered separate originals even though its same basic, different protocols.

Is this solution viable? How do I solve these two problems? Or maybe (perhaps) there is a better architecture, thank you in advance for all the tips I should look for for my web application.

If you want to protect notification you have to use SSL , Because anyone can listen to the network, and see the user's information. If you want to secure access , then use the HTTP authentication on SSL, the basic is secure enough, but if you do not want to use SSL for each request, the digest is a way:

• Your application can be stateless: More comfortable, easier
• Almost every HTTP client (Browser or Lib) can use basic or digest HTTP authentication.