All geek questions in one place

Writing a secure REST web service

Many of them are confused with how to write a secure web service for leisure, for those who are confused by what method to use this post will be useful in excellent form.

Possible ways to write REST services (partially secure)

  • You understand that literally sending credentials via HTTP leaves this data open so that it can be sniffed in text form; After the Gawker incident, you realize that plain text or weakly hashing is usually a bad idea.

  • You understand that password hashing and wire hash transmission instead of plain-text password still allow people to sniff at least the username for the account and the password hash that could (in an alarming number of cases) in the Rainbow table.

  • you exclaim because in this case (which is really the username and password script again) you still suffer the same problems (sniffed traffic) as sending the username and password in plain text.

  • At this point, you are going to give up and agree to use OAuth , but you insist that there should be a safe, but relatively simple way to develop a public web API that can keep credentials private.

+4
source share
1 answer

Best possible solution

The server and client know the public and private keys; only the server and client know the private key, but everyone can know the public key ... who cares about what they know. The client creates a unique HMAC (hash) representing its request to the server. He does this by combining the request data (arguments and values ​​or XML / JSON or whatever he planned when sending) and hashing the drop of request data along with the private key. The client then sends this HASH to the server along with all the arguments and values ​​that it was about to send in any case. The server receives the request and re-generates its own unique HMAC (hash) based on the values ​​provided, using the same methods that the client used. The server then compares the two HMACs, if they are equal, then the server trusts the client and starts the request.

Explanation using an example: (Assume that you are sending this request from android, since Android applications basically do not have sessions, they cannot have cookies or remember which user has logged in. Thus, for this case, when a request is sent along with it, user credentials are also required.)

  • Website for which a request is required (in this case I use localhost): localhost: 8080 /
  • REST request URL for user X: localhost: 8080 / REST / books / favorites (suppose the answer is in plain text, separated by a comma [Harry Potter, Chandamama, Infinitethoughts, Twilight]).
  • Since user X information should be displayed, the request will be something like this: localhost: 8080 / REST / username / password / books / favorites - local: 8080 / REST / X / / books / favorites

here the problem is that the username and password can be sniffed, since they are plain text. Therefore, it is better to encrypt them on the client side and decrypt them on the server side.

Now the real problem arises, how does the server know if the sent request is sent by a valid client or not ...

  • the solution for this is to generate a hash of your url request and add that hash at the end of the url and then send the request to the server. (what we usually say is a checksum) .. generates a checksum using its own url or use jash-based hash generators like SHA1, MD5, etc.

  • Suppose the hash generated to request the URL is local: 8080 / REST / encrypted-username / encrypted-Password / books / favorites this is some line of the hash adasfsjimnom123123k. so add this to your url

local: 8080 / REST / encrypted-username / encrypted-Password / books / favorites / adasfsjimnom123123k

This way you can protect your web service request. Only when the generated checksum is valid does the server provide the requested data.

Use the Curl tool as a resting client (instead of a separate Java code) to test your services.

Complete reference

+4
source

Source: https://habr.com/ru/post/1441463/

More articles:


All Articles