I write a Java (Spring-Boot) service that multiple client applications can use. For maintenance/stats I would like to log which applications access the service. How can the client application be identified without trusting the client?
Additional information
Approach
The idea could be to use public key authentication and bind the private key to something like the protocol/IP/port combination. The first part (public key auth.) would help clients that are interested in good maintenance/stats. The second part (binding) is a dead end in my eyes because I don't know what I could use for the binding:
Any ideas?
You can also add authorization via token in http headers. And rewrite all clients code to get tokens from environment on deploy (do not hardcode tokens in code in repository).
So even if new client appear by copy-paste of code it need to get token from you. And you can manage access of different apps and also in case of anomaly of load from one of apps you can "ban" this app (or degradate via reducing response speed for this particular token)/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With