Reputation: 19425
How can I prevent others from accessing my webservices?
I'm creating a PhoneGap solution and in order to fetch data from my site, we are using jsonp.
A lot of expensive work has been put down to create this data, and I only want my own site and those who has the app to be able to fetch the data.
How can I prevent any others from getting the data?
Upvotes: 2
Views: 133
Answers (3)
Reputation: 48357
What kind of app?
JSON implies javascript, implies an HTML app - in which case you should establish authentication and a session then use a session cookie to authenticate the subsequent ajax calls.
If it's an app deployed on the client (i.e. java) then it may be sufficient to use a static nonce compiled into the app and send a salted hash of the request parameters with every request to verify the origin of the request.
But if someone is really determined its not too hard to decompile and reverse engineer the authentication.
Both require some smarts serverside.
how can you passwordprotect a jsonp url?
erk!
Upvotes: 0
Reputation:
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. Then create a self-signed client and deploy that within your application as a resource. Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.
Upvotes: 1
Reputation: 9674
Step one is to password protect the jsonp url, and any other urls you have content in. Step two is too use https to avoid those sniffers to grab any of your data.
think your done here, does not seem any harder then any other web site out there?
Upvotes: 0
Related Questions
- How to secure a webservice in .net?
- How to restrict access to my web service?
- how can i implement Web Service Security?
- How to implement security in webservices
- How do I keep my web service to myself?
- WebService Security
- Web Service Security
- Limiting access to web service
- Prevent anyone from executing your web service?
- Securing a Web Service