Secure Ajax call On Rest Api

Question

This question has been asked to me in a interview. i search on web but can't find a thread that explains it in a way that makes sense to me.

Suppose is i had a web service which return a list of something and available In public Domain(Any body can use That) For security User need A key to Access that web service.

How can i use That web service securely in Ajax.

Problem is if i use Ajax to access that web service any body can able to see my private key,

I suggest for a encryption but i have to pass that key in decrypt(as i get )in form Than i suggest for a mediator file(at server side) on which i can call that web service but what if somebody directly access that mediator file (i know same origin policy )

i really want to know what are the possible solution to overcome to these problem and what is best practice to make a secure ajax call on rest

Answer 1

In fact, there is a dedicated security flow in OAuth2 for this particular use case called "Implicit Grant Flow".

You could have a look at these links for more details:

• http://www.bubblecode.net/en/2013/03/10/understanding-oauth2/#Implicit_Grant
• https://www.rfc-editor.org/rfc/rfc6749#section-4.2

If you don't use OAuth2, you can propose the user to authenticate and get back an access token. You could store it within the local storage of your browser but you need to be very careful with XSS. This question (and its answers) could provide you some hints regarding such issue: What are (if any) the security drawbacks of REST Basic Authentication with Javascript clients?.

Hope it helps you, Thierry

Answer 2

We are using cookies for this. And like the Session we have stored the secure key on the Web-Server. With the Cookie we can get the secure key. So he just see the "key" of his key. There is no option to hide all information from the client. But you can show him information, he cant use directly.

But at all, there is the fishing problem. If someone fishes your cookies, he has your "key" of your secure key. Many others are doing it simular. E.g. Facebook.

This is not specific for Ajax calls, but since it works for both, normal GETs and AJAX Calls, it would be a solution.

Answer 3

If you do not have 100% control of both client side and server side, you may want to use client-side authenticate solution (e.g. Oauth 1 or 2). If you do have 100% control of both client side and server side, easy way is to use basic authenticate + SSL.

What our project is : - I have a restful service. We provide restful service in SSL. - Only our partner companies can use it through internet.

What we did is: - They have their username/password in their request (is a Ajax) in their internal application (not public-accessed web page) - sample as following restful code (you can test by Postman):

//  to inject request 
@Context
private HttpServletRequest request; 

@GET
@Path("/testAuth")
@Produces(MediaType.APPLICATION_JSON)
public Response testAuth() {
    // TODO 
    // this is only a template for doing authentication in the near future
    String returnString = "";

    //check if authenticated
    String authorization = request.getHeader("Authorization");
    if (authorization == null ||             authorization.toUpperCase().startsWith("BASIC ") == false) {
        //no authenticated
        returnString =  "{\"testAuth\", \"need authentication\"}"; 
        return Response.status(401).entity(returnString).build();
    } else{

        String credentials =     authorization.substring("Basic".length()).trim();
        byte[] decoded = DatatypeConverter.parseBase64Binary(credentials);
        String decodedString = new String(decoded);
        String[] actualCredentials = decodedString.split(":");
        String ID = actualCredentials[0];
        String Password = actualCredentials[1];
        String Result = userAuthenticate(ID, Password);

        returnString =  "{\"testAuth\", \"" + 
            " (" + Result + ") \"}";
        return Response.status(200).entity(returnString).build();
    }   

}