• Post Reply Bookmark Topic Watch Topic
  • New Topic

Most efficient way to make rest services private?  RSS feed

 
P Marksson
Ranch Hand
Posts: 41
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!

I am creating a site which will connect to my rest services via ajax requests. I want to limit the access of some of the rest services to my domain.

I was thinking of a jersey filter which checks if the user attempting to connect is my domain, and abort if it's not. But not sure how to do that.
 
Tim Moores
Saloon Keeper
Posts: 3893
91
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How would you define "domain" in this context? If you mean subnet, you could check the IP address.
 
P Marksson
Ranch Hand
Posts: 41
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hmm... Do the IP address the domain maps to ever change or is it completely static?
 
Tim Moores
Saloon Keeper
Posts: 3893
91
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Again, what do you mean by "domain"? Where is the service located, and where are the users located? If everything is on the same subnet, you could just make the service non-reachable from outside of the firewall.

If the service is located on a publicly accessible server, and you can't narrow down users to specific IP addresses (like, from within a limited number of company networks), then HTTP authentication is the remaining option.
 
P Marksson
Ranch Hand
Posts: 41
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A domain, like google.com for example.

The site and the rest service are hosted on two separate machines, located in different countries.

So if I want for example to filter requests that wasn't made by www.myhomepage.com, I just get the IP from the domain and compare?
 
Stephan van Hulst
Saloon Keeper
Posts: 7817
142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think the best way to solve this problem is probably not to restrict domains, but to use API keys.

Every application that needs to interact with your REST API is assigned a unique key, which they have to send along with their requests. Your API first authenticates the application, and if the application is authorized to make the request, the API will fulfill it.
 
Tim Moores
Saloon Keeper
Posts: 3893
91
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I see, the call is made from within a web page that's hosted on your domain's web server; I had missed that before. In that case, checking the IP address would not work, since it'd be the address of the client browser.

API keys would work, but if the web site is public they could be copied for use by some other rogue web site.

You could check the Referer HTTP header, which should point to the web page the REST call is embedded in. That header can be faked, though, although that requires more effort by the client.
 
Stephan van Hulst
Saloon Keeper
Posts: 7817
142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Moores wrote:API keys would work, but if the web site is public they could be copied for use by some other rogue web site.

API keys, like all sensitive information, would have to be sent using SSL. A benefit of API keys is that when an application has been compromised, the key can be revoked.

[edit]

Hmm, I suppose that would only work if the application performs the request from the server-side. It wouldn't be possible to make AJAX requests to the API from the user's client, because that would expose the API key. A solution to this problem is to use a "valet key":

1) Client requests application for access to a REST resource
2) Application requests REST API for a valet key, using its API key.
3) After successful authentication, the API responds with a valet key.
4) Application responds to client with the valet key.
5) Client makes AJAX request to REST API using the valet key.
6) REST API makes sure valet key expires after some period.
 
Tim Moores
Saloon Keeper
Posts: 3893
91
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure how HTTPS is supposed to help. As I understand the problem, this is a public web site. So the API key can be discovered by anyone who cares to examine the involved pages.
 
Stephan van Hulst
Saloon Keeper
Posts: 7817
142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, I realized, I edited my previous response.
 
Ron McLeod
Saloon Keeper
Posts: 1601
232
Android Angular Framework Eclipse IDE Java Linux MySQL Database Redhat TypeScript
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you manage both the web server platform and the web services platform, then create a VPN between the two and only allow access to your web services through the tunnel.
 
P Marksson
Ranch Hand
Posts: 41
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Having web page and server located on two different domains caused problems with the cross origin requests. So I decided to move the web page to the server machine, and use my domain to make a web alias to the index page. Suppose that should be enough.
 
Stephan van Hulst
Saloon Keeper
Posts: 7817
142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can perform cross origin requests by setting the correct CORS headers.
 
P Marksson
Ranch Hand
Posts: 41
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yeah,  but the request type will be forced to GET. POST is not allowed with CORS headers.
 
Stephan van Hulst
Saloon Keeper
Posts: 7817
142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's not true. Browsers always allow GET from different domains, otherwise you wouldn't be able to link between websites.

CORS is intended specifically for stuff like AJAX requests.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!