-1

I'm building a REST application with spring, and would like to secure the methods as they will be reachable both within the intranet and later on by some customers.

All requests are GET only. How can a basic, yet strong enough security be implemented? An additional get parameter like ?key=12345 where each customer gets his own key?

Or how could this be done?

membersound
  • 81,582
  • 193
  • 585
  • 1,120

2 Answers2

2

First, if you pass the parameters as the query params in the URL, anyone can see the value of the parameter with a sniffer.

You must pass these parameters in the header, using SSL. Thus, these parameters are unreadable with a sniffer.

EDIT: As kevin say this information is not visible from a sniffer. Only the server IP. But still unsure by:

  • Full URL (with sensitive data) are stored in the browser history
  • Full URLs are stored in web server logs.
  • Full URLs are passed in Referrer headers.
Gabi Carballo
  • 67
  • 4
  • 1
    if you are using SSL you should only see the ip address and the dns request. Query params should NOT be visible, or your SSL implementation is broken. Now there are other reasons not to put them there, but that is not one of them. http://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl – Kevin Jul 17 '15 at 04:38
  • kevin absolutely right. I always thought that from a sniffer you could see all the information. But you deepen a bit on this, you are right that from a snifer this is not visible. Despite which remains quite uncertain passing parameters in the URL. – Gabi Carballo Jul 17 '15 at 07:25
0

Hello there are many points when you are building a REST application,If something is related with security I recommend you to check OWASP, check the link to analyze what do you need to care for.

Talking about frameworks it depends of your architecture, some of the frameworks that I recommend you to analyze are the next:

  1. Spring security
  2. Apache shiro
  3. Stormpath
  4. Apacheds

I hope that It helps you.

Alejandro Agapito Bautista
  • 1,344
  • 1
  • 15
  • 35