Reputation: 28312
Security with Web Services in Java
We have a client that calls our web services. How can we make sure that it is only our client application that is calling the web service and not a client someone else created that calls our web services.
We'd like to avoid hard coding a password into the application.
Upvotes: 4
Views: 344
Answers (3)
Reputation: 488
In this case you can use two-legged OAuth. This is a variation on standard OAuth and used by companies such as SimpleGeo. Then secure the communication with https and you have robust solution.
Upvotes: 3
Reputation: 120576
If you don't care about clients not running in a browser, then you can use XSRF tokens, a secret per session that is either associated with some session key in your backend, or round-tripped through two separate paths, such as via a hidden form input and a cookie over a secure channel. If you can't secure the channel, you have to make the tokens single-use. See http://www.cgisecurity.com/csrf-faq.html#protectapp
You can't in the general case. A reasonably intelligent hacker can probably reverse engineer any protocol you use, and extract any secrets you embed in the source code.
Upvotes: 1
Reputation: 457
A quick answer to your question would be to look into OAuth. Implementing OAuth correctly is a process so I would read up on the protocol documentation. Here is a link to example OAuth client libraries. I would also search StackOverflow for advice on OAuth implementations.
Upvotes: 3
Related Questions
- Webservice Security - what is enough?
- Java WebService Security
- Webservice security
- Java EE Security
- Web Service authentication in Java EE
- Recommended ways to secure a webservice?
- How can I build simple secure web service with Java?
- Secure Java Web Services
- Security and authentication in web services
- How to go about web service security in Java