Reputation: 603
Mechanism to secure a private internal web api from public access
I have a java application consisting of a static HTML page and JS. In the application I have REST-like API which is called by JS from static HTML. In front of the application is a front-end proxy server, say Nginx or Apache. the front-end server is located on server S1 and servlet container is located on server S2.
I have a page http://example.com/mycontext/page.html which includes the JS file invoking REST API located at http://example.com/mycontext/api/someresource The front-end passes all request matching http://example.com/mycontext/ to my application.
I want to introduce another web api in my application for internal use only, i.e. this new api should be invoked and visible only by other applications in my intranet (say from server S3), not from the internet.
I want this api to be HTTP-based, WS or REST-like, and to be managed by the same servlet container, say Tomcat, in which my app is deployed.
What options do I have?
Upvotes: 0
Views: 1483
Answers (1)
Reputation: 122364
My front-end passes all request matching
http://example.com/mycontext/*to my application
The easiest answer in this case would be to change the front end not to pass http://example.com/mycontext/private/* through, and then have other servers access your internal API directly on http://server.internal.ip:8080/mycontext/private.
Upvotes: 2
Related Questions
- How to protect public APIs (no credentials) from being exploited?
- Correct approach to secure the back end service - oAuth
- One web application provide both public and internal API, how to protect the internal API?
- Security: Restrict internal access by third-party software
- Securing web-API access
- Securing Rest Web Service for Public Authentication - Server to Server
- What is the best way to secure SOAP web service on an internal private network
- Recommended ways to secure a webservice?
- Secure Java Web Services
- Securing a REST API