is there a way to block REST API calls to a non authorized client?
is there a way to make the API "limited" to (public for) only small number of well defined clients?
thanks :-)
You can deploy mutually-authenticated SSL between your clients and your server. You can use self-signed certificates here so you don't need to buy any from a CA. This will ensure that your server only accepts requests from clients that have the client-side certificate (configure your server to only accept the self-signed client certificates deployed on your clients for client authentication).
If you are using RESTFul HTTP
you can add an HttpServletFilter to your web.xml which prevents unauthorized clients from accessing your REST Methods.
See
Securing JAX-RS and RESTeasy
If you use the Spring Framework you and you don't want to implement your own HttServletFilter you can use Spring Security
You just need to implement security mechanisms in your RESTful Service, so it denies access to unauthorized clients (with a 404 or 401 response code). There are several ways to achieve this:
Relay on HTTP authentication mechanisms, like Basic Authentication
Implement a Custom Authentication framework, that overcomes HTTP Basic Authentication limitations. Amazon has an interesting approach that includes custom HTTP headers and supports hashing.
Use an existing security framework and add its capabilities to your service. Spring Security sounds like a great option.
Related
A client of mine has a bunch of APIs in CloudHub that communicate with two APIs on premise in their runtime. The question I get asked, to which I don't really know the answer, is how to secure the communication between the APIs on CloudHub and on premise without using API Manager (since the client preferred not to pay for it) ? I thought of a middleware (middleware inception) that hashes the messages from one end to another, is this a viable idea? What could the best answer be?
The server applications should implement some basic security best practices like authentication and encryption.
Having applications deployed in any cloud environment without security is a big security risk. I assume that there is a secure link between the CloudHub environment and their on premise environment, like a VPN, but even so this architecture would not probably pass a security audit.
They should implement authentication using HTTP Basic authentication or OAuth 2. These are the most common authentication schemas used for REST APIs. Note that credentials go in clear text so they should also implement encryption.
To encrypt the traffic the server applications should use TLS, ie HTTPS connections instead of plain HTTP.
Optionally you could also implement mutual TLS authentication, requiring the client to have a valid certificate that the HTTPS server validates.
Hashing message could be an additional level of security, but that implies changing the applications logic to implement some custom security. The effort should be better put into implementing standard security practices as mentioned. If after that you want to add it feel free to do so.
You have not shared details of the technology of the on prem applications. Mule applications can implement both the client and server side of any of these methods. Read the documentation for details:
https://docs.mulesoft.com/http-connector/1.7/http-authentication
https://docs.mulesoft.com/mule-runtime/4.4/tls-configuration
https://help.mulesoft.com/s/article/Tutorial-how-to-create-a-simple-Mule-4-http-basic-authentication-application
We have several internal web applications/services in our company which can only be accessed from LAN. Now, we have a public web portal hosted in Internet, and this portal needs to be access some internal services.
To meet this requirement, I plan to use Apache Camel in a ServerMix to route the requests from web portal to local web services.
The exposed endpoints will use Jetty(HTTP) or CXF protocol. As you can see, we must secure those endpoints, since they will also be exposed on Internet.
I read through the Camel website, camel support Shiro security for authentication and authorization. However, I think Shiro is too heavy in our scenario. Because we only have one web portal to be authenticated. And Shiro will to encrypt payload, that means the username and password will be transported in plain text.
So I consider to use HTTPS, but I am new to HTTPS. How HTTPS authenticate request application? Should I use 2-way HTTPS?
Please clear me out here, an example will be very helpful. Thanks.
Read through this section, it would explain how you can have a secure cxf endpoint:
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.0/html/Security_Guide/files/CamelCXF.html
If you didn't manage to create your secure endpoint, let me know and I'll create an example for you.
I'm developing a rich client javascript application with ASP MVC 4 Web API back end.
How would you suggest to secure all the ajax requests ad make sure they are made from an authenticated user.
Thanks !
Any securing mechanism would do, consider for example Forms authentication.
You add the Authorize attribute to your controller methods and ajax requests carry the cookie if it has been issued from the server.
This is really as simple. If for some reason it doesn't apply to your scenario, you'd have to be more specific.
As Wiktor suggested, you could use Form-based authentication (HTTP mechanism).
If we consider your question more broadly though, what does it mean to secure all the AJAX requests?
You probably want to achieve:
integrity
confidentiality
non repudiation
accountability
more?
The topic is more broadly discussed on wikipedia. More specifically you want to do the following in your API:
secure the communication channel: use SSL (either one-way or 2-way). This will provide integrity and confidentiality
use authentication. This will give you non-repudiation and accountability. There are different authentication methods available in .NET (Forms, HTTP Basic, SAML-based...)
for advanced scenarios around authorization (which user is allowed to call with method), use claims-based authorization (part of .NET framework), RBAC, or XACML.
I am developing Restful API layer my app. The app would be used in premises where HTTPS support is not available. We need to support both web apps and mobile apps. We are using Node/Expressjs at the server side. My two concerns are:
Is there a way we could setup secure authentication without HTTPS?
Is there a way we could reuse the same authentication layer on both web app (backbonejs) and native mobile app (iOS)?
I think you are confusing authenticity and confidentiality. It's totally possible to create an API that securely validates the caller is who they say they are using a MAC; most often an HMAC. The assumption, though, is that you've securely established a shared secret—which you could do in person, but that's pretty inconvenient.
Amazon S3 is an example of an API that authenticates its requests without SSL/TLS. It does so by dictating a specific way in which the caller creates an HMAC based on the parts of the HTTP request. It then verifies that the requester is actually a person allowed to ask for that object. Amazon relies on SSL to initially establish your shared secret at registration time, but SSL is not needed to correctly perform an API call that can be securely authenticated as originating from an authorized individual—that can be plain old HTTP.
Now the downside to that approach is that all data passing in both directions is visible to anyone. While the authorization data sent will not allow an attacker to impersonate a valid user, the attacker can see anything that you transmit—thus the need for confidentiality in many cases.
One use case for publicly transmitted API responses with S3 includes websites whose code is hosted on one server, while its images and such are hosted in S3. Websites often use S3's Query String Authentication to allow browsers to request the images directly from S3 for a small window of time, while also ensuring that the website code is the only one that can authorize a browser to retrieve that image (and thus charge the owner for bandwidth).
Another example of an API authentication mechanism that allows the use of non-SSL requests is OAuth. It's obsolete 1.0 family used it exclusively (even if you used SSL), and OAuth 2.0 specification defines several access token types, including the OAuth2 HTTP MAC type whose main purpose is to simplify and improve HTTP authentication for services that are unwilling or unable to employ TLS for every request (though it does require SSL for initially establishing the secret). While the OAuth2 Bearer type requires SSL, and keeps things simpler (no normalization; the bane of all developers using all request signing APIs without well established & tested libraries).
To sum it up, if all you care about is securely establishing the authenticity of a request, that's possible. If you care about confidentiality during the transport of the response, you'll need some kind of transport security, and TLS is easier to get right in your app code (though other options may be feasible).
Is there a way we could setup secure authentication without HTTPS?
If you mean SSL, No. Whatever you send through your browser to the web server will be unencrypted, so third parties can listen. HTTPS is not authentication, its encyrption of the traffic between the client and server.
Is there a way we could reuse the same authentication layer on both web app (backbonejs) and native mobile app (iOS)?
Yes, as you say, it is layer, so it's interface will be independent from client, it will be HTTP and if the web-app is on same-origin with that layer, there will be no problem. (e.g. api.myapp.com accessed from myapp.com). Your native mobile can make HTTP requests, too.
In either case of SSL or not SSL, you can be secure if you use a private/public key scenario where you require the user to sign each request prior to sending. Once you receive the request, you then decrypt it with their private key (not sent over the wire) and match what was signed and what operation the user was requesting and make sure those two match. You base this on a timestamp of UTC and this also requires that all servers using this model be very accurate in their clock settings.
Amazon Web Services in particular uses this security method and it is secure enough to use without SSL although they do not recommend it.
I would seriously invest some small change to support SSL as it gives you more credibility in doing so. I personally would not think you to be a credible organization without one.
I'm interested to know what methods people use to secure their webservices from unauthorized web service consumers.
There is a protocol specifically for web services security WS-Security. I've used parts of it in the past but at the time there was not a lot of support for it in .Net so it was a lot of work.
Currently with .Net I use SOAP Extension Headers. I have one web service call to authenticate and get a session token and then include that token in a SOAP header for every subsequent call, somewhat similar to this example. Of course all the request must travel over TLS to keep them from being compromised.
I usually require either a user id/password to be sent each time, or return a token from the first authenticated connection that can be used subsequently.
Nothing fancy. Pretty similar to standard web app login.
I've used both SOAP headers and method parameters to pass user credentials -- .NET makes using the SOAP headers pretty easy, but I had issues with this using Java (several months back). I also do some IP-based filtering if the service is not intended for client (browser) use, but rather from backend web servers. Public, browser consumable web services are often protected by session cookies -- i.e, requires a valid logon to the web site, then the standard session authentication mechanism is used for requests via AJAX to web services.
You can use network appliances such as IBM's DataPower or Vordel if you don't want to handle in your own application.