Restricting access to data with REST

3

I would like to know if it is possible to restrict access to the data of my REST application.

For example, I have the xml / json that it returns in link >, where it returns me to my list of users.

So anyone who discovers the url, can access the data directly through the url getting all information, and sometimes you can change it using browser plugins.

I wanted to know if it exists, and how I could do to prevent it from happening. I am currently working on the application with Java, but also working with asp.net, if they know solutions for both, they are all welcome.

    
asked by anonymous 25.07.2014 / 22:17

1 answer

4

The answer to your question is: Yes, there are many ways to do this, from the most common with HTTP authentication or even generating certificates or tokens.

  • Authentication / HTTP authorization basic: In HTTP Basic authentication, the client user and password are sent to the Base64-encoded server. This form of authentication provides some access control, but is vulnerable to network traps that would allow the attacker to obtain the user and password and proceed to make requests using the data obtained. However, using HTTPS to protect the channel solves this problem.
  • Authentication / Authorization HTTP Digest: HTTP Digest authentication is another form of access control to web resources, and is more secure than HTTP Basic. It applies an MD5 cryptographic hash to the password before sending it over the network, using nonce values to prevent against replay attacks. The MD5 calculations used in digest authentication seek to be unidirectional, ie it should be difficult to obtain the input value only from the output. However, if the password is too simple it should not be so costly to break brute force.

  • Authentication / Authorization through Certificates: Authentication / authorization through client-side certificates is an additional refinement of security over HTTPS communication, which can already be done with certificates only server side. This form of authentication / authorization is quite secure, but the work and cost of dealing with 2-sided certificates is reasonable, and is suitable only in very sensitive security scenarios.

  • Token-based authorization: This is a simple and secure way to control authentication / authorization of services between servers, even though it is not a default.
  • OAuth: This is an open standard for authorization. It provides a method for clients to access resources on the server by the resource owner (such as another client or an end user). It also provides means for end users to authorize third-party access to their resources on a server without informing their credentials, usually through redirects and confirmations by users. OAuth is commonly used when we have an application that needs to manipulate APIs with data from end users and they need to authorize access. Typical examples are applications that connect to the user account on social networks. Although it can be used for authorizations between servers, this is not very common. While it is safe, OAuth does not have such large membership because of the complexity in implementation.

Source: link

Basic Http Authentication: link

    
25.07.2014 / 22:27