I am working on a project build in java that has android frontend. Its basically and android app that calls REST APIs build in java. I have created restful apis using springmvc, hibernate and eclipse. Currently I don't have any security mechanism for these apis (e.g. authentication tokens). I want to secure my APIs through AWS APIGATEWAY. I have done some research and have successfully implemented authentication through APIKeys. But according to document it's not that secure.
My understanding of this whole process is that Cognito user pool and Lambda authorizers will only be applicable in case of implementing REST APIS in apigateway but if i want to apply security on my already created backend APIs I'll have to use API KEYS. Can anyone tell me how I should go about it?
Related
I have created some APIs using JAX-RS jersey. I have been given task to secure them using Oauth 2.0. In google I found many articles in which they explain how can I access google API, facebook API etc. they told me how to access already created APIs
But my question is how can I make my API secure using Oauth in java so that when another applcation want to access, it needs to provide authorization and authentication token etc.
Can anybody help me with the code in java. you can suggest some even paid tutorial of udemy coursera if you know. I will opt for them. I am not using any framework like Spring or Springboot.
I would advies checking out the following page:
https://www.baeldung.com/spring-security-oauth-jwt
It makes use of keycloack for authorization server and spring for configuring the resource server.
Currently trying to create some acceptance tests that are to call api endpoints which have been authenticated with Cognito implicit grant.
Is there a possible way of using the aws sdk and Cognito sdk to request for an access key to call my api endpoints?
Im finding very little help through the aws documentation and on the internet in general.
My acceptance test run on java with cucumber and gherkin.
You can authenticate via Cognito API's initiateAuth to get the tokens directly.
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
The default way of authentication requires SRP.
If you wanted, you could avoid SRP overhead implementation by creating a separate app client for testing and checking off Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH) in the App Clients settings for that app client.
You probably want to have some deployment configuration so that this app client is only available in testing environments. Otherwise, you could create a secret for the app client.
Other than USER_PASSWORD_AUTH flow, there is ADMIN_NO_SRP_AUTH via adminInitiateAuth which requires AWS keys (must be enabled in "App Client" settings as well).
You can learn more about these flows here: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html?icmpid=docs_cognito_console#amazon-cognito-user-pools-admin-authentication-flow
I have an application which is built using Spring MVC and the backend is REST API also built using spring MVC framework.
The request from the browser first hits the springMvc app which then calls my REST API for data. I do not have any needs to expose my API's publicly. So I am not thinking to use any API gateway.
For security, am thinking to host my REST app in a private subnet and host the springMVC app in public subnet in a VPC.
My question is what if some developers would like to test the API's directly , what provisions are available in AWS to manage this in development environment.
I am using AWS cognito for authentication and am just going to validate the token in the REST app for additional security. At netwrok level, I am planning to use Netwrok ACLs to restrict the REST app to be only called by my springMVC app. Basically one public subnet and one private subnet.
Please help if my understanding is correct in this regards and would it cause any design issues later on.
If at some stage later, I plan to expose my API's to lets say a mobile app, I might have to do some rework. Is it worth it to think about future now and design accorindgly considering it might not take much time if I am on AWS.
You can use API Gateway to create private APIs that are only accessible by your VPC. You should consider using this option if possible. There are a lot of things that are difficult to manage when it comes to APIs such throttling, caching, and logging. Using API Gateway a lot of the scaffolding and instrumentation work for the API will already be done. You can also connect Cognito user pools to the API Gateway.
This blog post has a good overview and an example.
I'm a beginner in context of google-cloud-endpoints and the associated product "google-cloud-app-engine".
I've created a simple google app angine project/application and created an API-Key by using the google cloud platform's console.
To my app-engine's endpoints API definition I've added the annotation
"apiKeyRequired = AnnotationBoolean.TRUE" as stated in
Add API restriction by adding an API key to your app engine application
and my client application which uses the generated endpoints client API was also updated accordingly to send the generated API key for all API requests.
As I would like to test the "API-Key" mechanism locally on my development machine (using a local app-engine environment) before deploying the backend to the cloud, I would like to know, whether it is possible to test the "API-Key"-restrictions locally. I mean, somehow the locally executed app-engine backend app has to be aware of the created API key. Maybe there is a property which I have to provide to my app-engine backend application's POM.xml file...I don't know, whether the google app-engine SDK supports API keys for local testing in context of the "endpoints framework v2" actually. The newley introduced API Management Platform (API-Gateway) can maybe not be "simulated" locally...?!
Thank you so far for your effort!
API key restrictions should work locally. You just need to include GoogleAppEngineControlFilter in your web.xml.
I need some suggestions on how to secure REST APIs and web based internal system using a single authentication system.
I am looking into the possibility of using:
oAuth 2.0
JA-SIG CAS
Custom Implementation (implement two separate APIs)
To secure REST APIs and redirect calls to specific API instance
To authenticate web application users.
I assume you have a UI for your webapp and want to share your identity between your webapp and your web service.
You can achieve that by :
"cassifying" your webapp (For example : https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml)
proxifying your calls from your webapp to your web service (https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough).
Here are a few suggestions in how to secure REST APIs. They are related to iPhones but they are generally applicable to client/server REST API implementations. Without more information I don't know how applicable they are, but they might help you out a bit:
Security When Using REST API in an iPhone Application
https://stackoverflow.com/questions/15390354/api-key-alternative/15390892#15390892