0

enter image description here

My current system architecture for a web application looks like above. Essentially, its just one code base, that is being deployed in different contexts, so for instance, app1.localhost.com, app2.localhost.com.

These are my current challenges -

  • I need query my webservices using ajax calls from user browser. But, somehow I need to tell the webservices, that the request is coming from user1 for app1 or user2 or app2. Accordingly, the webservice can go query the right schema in the database and return the results.
  • My webservices need to be stateless.
  • I cannot have the user tamper with the request from the browser.

Is this a flawed model? Are my expectations out of standard way of doing this? What is the best way to realize this architecture?

Jay
  • 2,394
  • 11
  • 54
  • 98
  • You might want to have a look at the rules at programmers.stackexchange.com because I think this might be a better place to move your question too because it is likely to be off topic for SO. – Marged Dec 02 '15 at 22:47
  • 1
    @Marged this question would need a little more work to be an acceptable [design review question at Programmers](http://meta.programmers.stackexchange.com/q/6502). Specifically, it might be a little too broad. –  Dec 02 '15 at 22:58
  • @Snowman I am sure Jay will be able to adapt – Marged Dec 02 '15 at 23:01
  • sometimes I feel, that stackoverflow.com should may be default to coders.stackoverflow.com OR onlycode.stackoverflow.com – Jay Dec 03 '15 at 04:55
  • what worries me is that there are tens of thousands of architectural questions on this forum, like this one http://stackoverflow.com/questions/14354466/java-web-application-plugin-architecture?rq=1 for instance, which are so much more broader, but they get answered over time. But, for those questions I ask, which are much more specific, I seem to always get people recommending to close the question or move it to another forum. – Jay Dec 03 '15 at 04:58

1 Answers1

1

Let's go through this step by step.

So your webservice needs to know the application and the user.

Easy: just include it in the request as a parameter or as part of the url.

Same goes for some information possibly provided by the user.

The challenge comes with the requirement that the user must not be able to change the request.

This is typically achived by cryptographic signing the request (or the sensitive parts). I kind of assume that replay attacks are also an issue.

Create a certificate for the apps.

On the application server create a nonce.

Sign the nonce, the application name and the user name using the certificate.

Include nonce, servername, username and signature in the request used for the ajax call.

Check nonce, servername, username and signature match in the webservice

Check also that the nonce wasn't used before.

Checking the nonce does require some state, but just a list of nonces. If you make the nonces increasing you can even discard any nonces much smaller than the last one you received, limiting the amount of state even more.

You should check if something like this exists as a ready made protocol, because it is always a bad idea to create your own security relevant protocols.

Jens Schauder
  • 77,657
  • 34
  • 181
  • 348