All geek questions in one place

Ajax On Rest Api Secure Call

This question was asked to me in an interview. I am searching on the Internet but cannot find a thread that explains this in a way that makes sense to me.

Suppose I have a web service that returns a list of something and available In a public domain (any authority can use this) To ensure security, the User must use a key to access this web service.

How can I use this web service safely in Ajax.

The problem is that I use Ajax to access this web service, any authority can see my private key,

I suggest for encryption, but I have to pass this key in decryption (as I understand it) in the form of What I suggest for the pick file (on the server side) on which I can call this web service, but what if someone directly will access this mediation file (I know what the origin policy is)

I really want to know what is the possible solution to overcome this problem, and what is the best thing to do for a safe ajax call when resting

+4
source share
3 answers

In fact, OAuth2 has a dedicated security stream for this particular use case called the Implicit Grant Stream.

:

OAuth2, . , XSS. ( ) : ( ) REST Basic Authentication Javascript?.

, , Thierry

+1

cookie . , , -. Cookie . "" . . , .

- . - cookie, "" . . . Facebook.

Ajax, GET, AJAX Calls, .

0

100% , , (, Oauth 1 2). 100% , , - + SSL.

: - . SSL. - .

: - / ( Ajax) ( -) - ( Postman):

//  to inject request 
@Context
private HttpServletRequest request; 

@GET
@Path("/testAuth")
@Produces(MediaType.APPLICATION_JSON)
public Response testAuth() {
    // TODO 
    // this is only a template for doing authentication in the near future
    String returnString = "";

    //check if authenticated
    String authorization = request.getHeader("Authorization");
    if (authorization == null ||             authorization.toUpperCase().startsWith("BASIC ") == false) {
        //no authenticated
        returnString =  "{\"testAuth\", \"need authentication\"}"; 
        return Response.status(401).entity(returnString).build();
    } else{

        String credentials =     authorization.substring("Basic".length()).trim();
        byte[] decoded = DatatypeConverter.parseBase64Binary(credentials);
        String decodedString = new String(decoded);
        String[] actualCredentials = decodedString.split(":");
        String ID = actualCredentials[0];
        String Password = actualCredentials[1];
        String Result = userAuthenticate(ID, Password);

        returnString =  "{\"testAuth\", \"" + 
            " (" + Result + ") \"}";
        return Response.status(200).entity(returnString).build();
    }   

}
0

Source: https://habr.com/ru/post/1608943/

More articles:


All Articles