Api Rest server-side only

3

Hello, I have a restful api in Java, using Jax RS that will be consumed by another application that will be online.

I'd like to prevent people from directly accessing the api, but only by the web application.

Is there a way to do this lock without having to create a password authentication system?

I was thinking of controlling for the IP of the web application server, but since the requests are ajax, the IP that would be sent is the client's. Then it would not be possible.

Is there any way to prevent other users from directly accessing api?

    
asked by anonymous 13.02.2016 / 07:30

2 answers

1

The answer is no , authentication exists for you to resolve this problem in a secure and unique way in the HTTP protocol.

You have these options among others listed here, these are the most used and recommended:

Basic Authentication (TLS)

Basic Authentication is the easiest to implement because it can be implemented most of the time, without any extra library ... Its problem is that it is "basic", and so it has its lower level of security than other protocols. You send your username and password through a Base64 Encode Encode, and it uses SSL to further encrypt (TLS). After that you can create a session table, generate a hash and use that in your browser saving application.

Oauth2:

Oauth2 uses SSL (TLS) to encrypt password / user and other non-mandatory properties as scope . It is actually a protocol, complex, and used in the authorization system of Google and Facebook. I use it in a big project, and I do not recommend for it.

Use something more native to java.

In the case of Jax RS, there must be something for sure about authentication. In your case, I recommend #.

Third-party use like Stormpath

You can use third-party services to do all the work, but it's an extra cost, and you get kind of tied up with the service. link

    
13.02.2016 / 08:57
1

If I understand correctly, the browsers of the users of the other application will make Ajax requests for your Web Service.

In this case you can not and should not try to authenticate this other application, since the request does not pass through it.

Actually, you can even try to do some gambiarra, but it will be very insecure, since the information goes somewhere else and anyone could simulate a request. If you want something unsafe you can even opt for something like the application send a token to the browser that will be valid in your web service, but of course anyone can copy this token.

For Ajax requests to work from another domain, you'll need to place the HTTP CORS headers . These headers allow you to specify the domain that can access the Web Service. Again, the request can be forged, but it is an added security.

The definitive solution would be to do Single Sign On (SSO), which means that the user will also be authenticated in your application. For this, one of the alternatives is to use the OAuth protocol, as suggested in the other answer.

    
15.02.2016 / 03:12