Restricting data access with REST

Asked

Viewed 1,275 times

3

I would like to know if it is possible to restrict access to my application data REST.

For example, I have the xml/json that she returns in http://meuapi.com/usuarios, where you return my user list.

So anyone who discovers the url, can access the data directly through the url getting all the information, and sometimes can change it using browser plugins.

I wanted to know if it exists, and how I could stop it from happening. I am currently working in the application with Java, but also working with Asp.net, if you know solutions for both, you are all welcome.

java ajax rest asp.net-web-api restful

  • You will need to understand Authentication and Authorization. This question brings a bit of the idea. If I get a time I post an answer later

  • Thanks @Caputo I will check the link you sent me, anything if you have a time and can send the answer I am waiting, thank you.

1 answer

4


The answer to your question is: Yes, there are many ways to do this, from the most common with HTTP authentication or even generating certificates or tokens.

  • Authentication/HTTP basic authorization: In HTTP Basic authentication, the client’s user and password are sent to the Base64 encoded server. This form of authentication provides some access control, but is vulnerable to interceptions on the network, which would allow the attacker to obtain the user and password and start making requests using the data obtained. However, using HTTPS to protect the channel solves this problem.

  • Authentication/HTTP Digest Authorization: HTTP Digest authentication is another form of web resource access control, and is safer than HTTP Basic. It applies a MD5 cryptographic hash to the password before sending it over the network, using nonce values to prevent replay Attacks. The MD5 calculations used in Digest authentication seek to be one-way, meaning it must be difficult to get the input value only from the output. However, if the password is very simple it should not be so costly the process of breaking by brute force.

  • Authentication/Authorization through Certificates: Authentication/authorization via certificates also on the client side is an additional security refinement on HTTPS communication, which can already be done with server-side certificates only. This form of authentication/authorization is quite safe, but the work and cost of handling certificates on both sides is reasonable, and is suitable only in very sensitive safety scenarios.

  • Token-based Authorization: This is a simple and secure way to control authentication/authorization of services between servers, although it is not a standard.

  • Oauth: It’s an open standard for authorization. It provides a method for clients to access resources on the server from the resource owner (such as another client or end-user). It also provides means for end-users to authorize third-party access to their resources on a server without informing their credentials, usually through Directs and confirmations by users. Oauth is commonly used when we have an application that needs to manipulate Apis with end-user data and these need to authorize access. Typical examples are apps that connect to the user’s account on social networks. Although it can be used for cross-server authorizations, this is not very common. Although it is safe, Oauth does not have so great adhesion due to the complexity in the implementation.

Source: http://blog.rivendel.com.br/2013/06/07/seguranca-em-apis-rest-parte-1/

Basic HTTP authentication: http://en.wikipedia.org/wiki/Basic_access_authentication

  • Thanks for the reply, I believe that based on what you answered me I will be able to solve my problem. Thanks!

Browser other questions tagged java ajax rest asp.net-web-api restful

You are not signed in. Login or sign up in order to post.