Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to secure a REST web service in Java EE 6

Tags:

java

rest

web-services

jakarta-ee

I have made a web application using Java EE 6 (using reference implementations) and I want to expose it as a REST web service.

The background is that I want to be able to retrieve data from the web application to a iOS app I made. The question is how would I secure the application? I only want my application to use the web service. Is that possible and how would I do this? I only need to know what I should search for and read and not the actual code.

like image 644
LuckyLuke Avatar asked Jan 21 '12 19:01

LuckyLuke

2 Answers

Unfortunately, your webservice will never be completely secure but here are few of the basic things you can do:

  • Use SSL
  • Wrap all your (app) outbound payloads in POST requests. This will prevent casual snooping to find out how your webservice works (in order to reverse engineer the protocol).
  • Somehow validate your app's users. Ideally this will involve OAUTH for example using Google credentials, but you get the idea.

Now I'm going to point out why this won't be completely secure:

  • If someone gets a hold of your app and reverse engineers it, everything you just did is out the window. The only thing that will hold is your user validation.
  • Embedding a client certificate (as other people have pointed out) does nothing to help you in this scenario. If I just reverse enginneered your app, I also have your client certificate.

What can you do?

  • Validate the accounts on your backend and monitor them for anomalous usage.

Of course this all goes out the window when someone comes along, reverse engineers your app, builds another one to mimic it, and you wouldn't (generally) know any better. These are all just points to keep in mind.

Edit: Also, if it wasn't already obvious, use POST (or GET) requests for all app queries (to your server). This, combined with the SSL should thwart your casual snoopers.

Edit2: Seems as if I'm wrong re: POST being more secure than GET. This answer was quite useful in pointing that out. So I suppose you can use GET or POST interchangeably here.

like image 179
Marvin Pinto Avatar answered Sep 24 '22 10:09

Marvin Pinto

Depends on how secure you want to make it.

  • If you don't really care, just embed a secret word in your application and include in all the requests.
  • If you care a little more do the above and only expose the service via https.
  • If you want it to be secure, issue a client certificate to your app and require a valid client certificate to be present when the service is accessed.
like image 21
MK. Avatar answered Sep 23 '22 10:09

MK.
Sign in to Comment

Related questions

Java Authenticator on a per connection basis?
Why does Java have such a large footprint?
Scalable http session management (java, linux)
Developing JNI applications with Eclipse (Combined Java/C++)
JPA @Version: how to use it?
How to rename Java packages without breaking Subversion history?
How to set a limit to inner query in Hibernate?
JNA Keyboard Hook in Windows
Handling nested elements in JAXB
Retrieve the fragment (hash) from a URL and inject the values into the bean
equals() generated by Eclipse: getOuterType()?
How to Determine which JARs are Used in an Application
Audit Java: system to detect exceptions thrown / caught (aop?)
Design decisions: Why and when to make an interface private?
DbUnit: NoSuchColumnException and case sensitivity
Java heap size not entirely used
java wait cursor display problem
Multiple listeners in web.xml?
How do Java and Maven builders work together in eclipse?
How to implement pull to refresh on a ListFragment

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!