7

I'm writing client for my webapplication, and i signed release jar with my developer certificate, how can i verify that request to rest service was from my signed jar?

ilya.stmn
  • 1,604
  • 5
  • 23
  • 41
  • 13
    You cannot. Any person possessing your signed jar can disassemble it and, therefore, find out how to fake such requests. You might make it more difficult by static or dynamic obfuscation but that merely raises the hurdle a bit. If on the other hand you try to defend against attackers without access to your jar, that jar may include a private key to use for signing the rest service requests. – mkl Apr 21 '15 at 07:25
  • 3
    What is the underlying problem you're trying to solve? If you edit your question to include that, we might be able to suggest an alternate solution. – merlin2011 Apr 23 '15 at 05:12
  • 6
    @mkl is right. Any service which is publicly reachable and which someone can get hold of a client for can be reverse-engineered, and with the client in hand, there's no way to prevent someone from finding your private key or other secret-keeping mechanism. In general, try not to worry too much about what *application* is sending requests to your service; worry about what *user* is sending them. If I'm logged in and authenticated, it shouldn't matter if I use your custom client or telnet. – Chris Hayes Apr 23 '15 at 05:15
  • 1
    Related: http://security.stackexchange.com/questions/86492 – Chris Hayes Apr 23 '15 at 05:43
  • 1
    Before adding the bounty you had indeed better updated the question. If you only want to defend against casual attackers or script kiddies, a certain amount of obfuscation may suffice. If you want to defend against professionals seriously trying to overcome your hurdles, it won't. Thus, please explain more clearly your security requirements. – mkl Apr 23 '15 at 05:57

1 Answers1

6

You cannot. Signing is for execution validation which means it is on the server side. But you want to check signature on the http/rest request on the client side. Client side has no such validation.

You can add something to the response itself and validate it on the client side but, again, nothing prevents any other server to send the same value and so pretend to be your server.

You can also add some behavior characteristics to your jar (like session cookies) but, again, nothing prevents other jars to emulate it too.

Alex
  • 4,457
  • 2
  • 20
  • 59