Menu
I'm working on a REST service that has a few requirements:
My current proposed solution is to have a custom Authorization header that look like this (this is the same way that the amazon web services work):
Authorization: MYAPI username:signature
My question is how to form the signature. When the user logs into the service they are given a secret key which they should be able to use to sign requests. This will stop other users submitting requests on their behalf, but will not stop them forging requests.
The application that will be using this service is an iPhone application, so I was thinking we could have a public key embedded in the application which we can do an additional signature with, but does this mean we'll have to have two signatures, one for the user key and one for the app key?
Any advice would be greatly appreciated, I'd quite like to get this right the first time.
277
A REST request can have a special header called Authorization Header, this header can contain the credentials (username and password) in some form. Once a request with Authorization Header is received, the server can validate the credentials and can let you access the private resources.
A REST request can have a special header called Authorization Header, this header can contain the credentials ( username and password) in some form. Once a request with Authorization Header is received, the server can validate the credentials and can let you access the private resources.
To authorize a request, you must sign the request with the key for the account that is making the request and pass that signature as part of the request.
This section guides you through securing REST services and how requests to REST APIs are authenticated and authorized in the WSO2 Identity Server. When sending requests to REST APIs, tomcat valves are used to intercept the requests, and an OSGI service is used to authenticate and authorize the request.
If you have the Username and the Password you are who you profess to be. This is what Authentication means. In the context of REST API authentication happens using the HTTP Request. Note: Not just REST API, authentication on any application working via HTTP Protocol happens using the HTTP Request.
The answer is simple: It cannot be done. As soon as you ship any solution to the end user, he or she can allways attack the server it is communicating with. The most common version of this problem is cheating with hi-score lists in Flash games. You can make it harder by embedding some sort of encryption in the client and obfuscating the code... But all compiled and obfuscated code can allways be decompiled and unobfuscated. It is just a matter of how much time and money you are willing to spend and likewise for the potential attacker.
So your concern is not how to try to prevent the user from sending faulty data to your system. It is how to prevent the user from damaging your system. You have to design your interfaces so that all damage done by faulty data only affects the user sending it.
198
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
