This week's book giveaway is in the Kotlin forum.
We're giving away four copies of Kotlin in Action and have Dmitry Jemerov & Svetlana Isakova on-line!
See this thread for details.
Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Restful WebService Authentication  RSS feed

 
sachin burange
Ranch Hand
Posts: 43
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have wrote couple of restful webservices. As part of security i have added SALT and signature param so that not anyone can access it.
These Services will be deployed under https. JSON request looks like below.

{
"instrumentName": "InName",
"instrumenGroup": "InstrynentGrooup",
"salt" : "KVq88mTrqjoYPiCVhfmh4Q==",
"signature" : "ZinT6BvBZvBCzBTKaCPG4l+L8FuB4U9/575aDXaZ9yA="

}

SALT and SIGNATURE will be unique on every request.

My question is will this much security is enough or malicious user can also grab salt and signature and hit other endpoints. If yes, then what should can be done further to enhance security for rest calls ?


Best Regards,
sachin
 
Amit Ghorpade
Bartender
Posts: 2856
10
Fedora Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am not sure of how you are using the salt here but I think you are mistaken. A salt is some predefined/decided upon value between the client and the server.
You salt every secret value with the same salt value. Sending the salt value in request defies the purpose of the salting itself.
Not sending the salt in request will improve security significantly.
 
sachin burange
Ranch Hand
Posts: 43
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Thanks Amit for reply. I am using salt in little unconventional way. Here it is

There are two parties Party A and Party B.

Party A are the webservices itself.
Party B are the caller of webservices.

Both Parties are agreed upon on shared secret key.

Now when Party B calls the rest webservices it generates the salt and signature and send it across.
As soon as it reaches to party A, it gets the salt, use with secret key and generates the signature.

Now Party A matches generated signature with the signature it received from Party B. If that matches then it is valid request other wise it will deny the services.

Now my initial question was, dynamic salt and signature will be in HTTP body and services will be installed on https. Is this much security is OK, or we can enhance it and restrict the unwanted user by any other techniques ?


Best Regards,
sachin
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!