Server Side Only Rest Api

Question

Server Side Only Rest Api

Asked 8 years, 8 months ago

Viewed 264 times

3

Hello, I have a restful Java api using Jax RS that will be consumed by another application that will be online.

I would like to prevent people directly accessing the api, and yes, only by the web application.

Is there any way to do this lock without having to create a password authentication system?

I had thought to control by the IP of the web application server, but as the requests are ajax, the IP that would be sent is that of the client. Then it wouldn’t be possible.

Is there any way to prevent other users from directly accessing the api?

2 answers

1

The answer is nay, the authentication exists for you to solve this problem in a safe and unique way in the HTTP protocol.

You have these options among others listed here, these are the most used and recommended:

Basic Authentication (TLS)

Basic Authentication (Basic Authentication) is the easiest to implement because it can be implemented most of the time with no more library... Its problem is that it is "basic", and thus has its security level lower than other protocols. You send your username and password via an Encode Base64 encryption, and use SSL to further encrypt (TLS). After that you can create a session table, generate a hash and use it in your application by saving in browser cookies.

Oauth2:

Oauth2 uses SSL (TLS) also to encrypt password/user and other properties not required as scope. It is really a protocol, complex, and used in the authorization system of Google and Facebook. I use it in a project of mine large, and do not recommend for your case.

Use something more native to java.

In the case of Jax RS, there must be something with certainty about authentication. In your case, recommend Java EE 7 / JAX-RS 2.0: Simple REST API Authentication & Authorization with Custom HTTP Header.

Use of third parties as Stormpath

You can use third-party services to do all the work, but it’s an extra cost, and you’re kind of tied up with the service. https://stormpath.com/

Browser other questions tagged java

You are not signed in. Login or sign up in order to post.

by utluiz • **72,075** points · Answer 1 · 2016-02-15T02:12:54+00:00

If I understand correctly, the browsers of the users of the other application will make Ajax requests to your Web Service.

In this case you cannot and should not attempt to authenticate this other application, since the request does not go through it.

In fact, you can even try to do some gambiarra, but it will be very insecure, since the information goes elsewhere and anyone could simulate a requisition. If you want something unsafe you can even opt for something like the application send a token to the browser that will be valid in your web service, but of course anyone can copy this token.

For Ajax requests to work from another domain, you’ll need to put the HTTP CORS headers. These headers allow you to specify the domain that can access the Web Service. Again, the requisition may be forged, but it’s an extra security.

The ultimate solution would be to make Single Sign On (SSO), which means that the user will also be authenticated in your application. For this, one of the alternatives is to use the Oauth protocol, as suggested in the other answer.