It maybe different for different http authentication. But just want to know where is it stored (blog post would be helpful). In java servlet, I can get the userinfo from request.getRemoteUser(), then is the user info stored in http header or cookie. And how does the client specify that. e.g. In java I can construct URI with user info, but where is it stored. Any related blog post would be helpful
If I understand your question well enough, you're trying to figure it out how the client side information related to the user are stored .. well.. It depends of the client implementation you are using I guess .
For instance Angular can use different kind of user information storage methods like CacheFactory or LocalStorage API as mentionned in this other post.
Related
As the question states, my goal is to hide a GET route in Spring Boot from being accessed from the public. I originally took a CORS approach, but that doesn't solve the actual view problem. Pretty much anyone could go to, say... https://my-api-url.com/employee/all and see a JSON record of all employees in my database.
END GOAL: I only want my front-end to have access to my API for displaying that information to an authorized user who is signed in, but I do NOT want just anyone to have access to the API. CORS policy can handle the ajax requests, but it doesn't seem like I can stop the overall viewing of the GET url.
How can I solve this problem?
You can use OAuth to register clients(frontend/postman/whatever you are using to test the API) that can access your resource server, but it might be overkill. For now, if you worry someone can view your API by typing it in the address bar(if that is your question) then you can allow access for authenticated users only.
If you want to restrict usage and make it inconvenient for abusers to call your API, you can issue a token on page load (CSRF token) and require that token to be present in the request to the API - that way the API will be callable from a browser that initiated a page load.
You can refer this link https://security.stackexchange.com/questions/246434/how-can-i-ensure-my-api-is-only-called-by-my-client
If your frontend is currently handling authentication, i‘d suggest moving to Springs Authenticationserice. That way you could prevent unauthenticated users from accessing that specific API endpoint.
I am currently designing a REST API for a social networking application.
I am trying to decide how I can go about locking access to a specific resource for each user. For example I have the following URL's
https://social-network.com/api/user?id=2/someUpdateOrPostOp
(or https://social-network.com/api/user/id=2/someUpdateOrPostOp)
https://social-network.com/api/user?id=3/someUpdateOrPostOp
What I need of course is for a user with id=2 not to be able to change their id to 3 in the url and perfom an operation on the data of user with id 3.
Note: I am using JAX-RS with Tomcat and the Client consuming the API is an Android device.
What is the technique I need to research to achieve this? I feel like I am missing something with all this.
Thanks for any help you can offer, this is confusing me greatly!
You need two things:
logic that confirms the identity of the caller i.e. you know the caller is Alice. That can happen through OAuth, Open ID Connect or other protocols. You could use more basic authentication e.g. HTTP BASIC Auth but that leads to the password anti-pattern whereby you share your password with the API.
logic that given the user, determines what that user can do. This is referred to as authorization or access control. Given you are in JAX-RS, you could use a message interceptor to look at the user ID and then look at the requested object or the parameters of the call and then decide to deny access if the authenticated user doesn't correspond to the requested profile. You could even use externalized authorization with XACML. Given your simple use case, though, that would be too much.
You can read more on JAX-RS interceptors here.
I'm building a REST application with spring, and would like to secure the methods as they will be reachable both within the intranet and later on by some customers.
All requests are GET only. How can a basic, yet strong enough security be implemented? An additional get parameter like ?key=12345 where each customer gets his own key?
Or how could this be done?
First, if you pass the parameters as the query params in the URL, anyone can see the value of the parameter with a sniffer.
You must pass these parameters in the header, using SSL. Thus, these parameters are unreadable with a sniffer.
EDIT:
As kevin say this information is not visible from a sniffer. Only the server IP. But still unsure by:
Full URL (with sensitive data) are stored in the browser history
Full URLs are stored in web server logs.
Full URLs are passed in Referrer headers.
Hello there are many points when you are building a REST application,If something is related with security I recommend you to check OWASP, check the link to analyze what do you need to care for.
Talking about frameworks it depends of your architecture, some of the frameworks that I recommend you to analyze are the next:
Spring security
Apache shiro
Stormpath
Apacheds
I hope that It helps you.
I am having a little problem here. We are a group of 3 guys developing a web application.. When I'm doing post to one servlet handling the login, and afterwards do a post to another servlet where I'm trying to use the attribute we've stored in the session in the Login, it's like it is using another session. I don't think there is a problem in the code, since the other guys can do this without any problems..
I'm using fiddler2 as my restclient, where the others are using Cocoa as their clients. When I'm inspecting the headers the two different posts is having two different session id's.
I've been trying to figure this out most of the day, but haven't found out of anything yet. I will be thankfull for any advise.
Fiddler's Composer does not attempt to maintain any sort of cookie jar for you. If you want to send a cookie on a request using the Composer, you must add it yourself. You will find the value in the Set-Cookie response header on a previous response.
I should get information from a website by DOM (a random value of an hidden input) and execute a post of username and password in my app (a login).
If I use two separated connection the random value change and not log me in.
Someone knows how I can do this in one connection? Help me please!
You should provide your login information in headers, there is a standard way of doing so called HTTP BASIC authentication. Read more about it here:
http://en.wikipedia.org/wiki/Basic_access_authentication
You can follow this SO post to understand how you can send an http request with BAISC authentication header using JAVA:
Http Basic Authentication in Java using HttpClient?
Your request can be authenticated using the mentioned header. And you can send any other information as request parameter. Using this way you need not to send two requests to get the DOM info as your authentication info will be in header.