How to secure values being sent via HTTP request?

Question

I am developing a microservice, that implements a REST API. It is to take certain files form a shared network location and upload them to an FTP server.

Here is a sample code:

      @RequestMapping(method = RequestMethod.GET, value = "/ftpProcess", produces = "text/plain")
public String ftpFiles() throws UnknownHostException {
    String status = "" ;

    JSch jsch = new JSch();
    Session session = null;
    try {
        session = jsch.getSession("ftpUserName", "ftpHost", 10022);
        session.setConfig("StrictHostKeyChecking", "no");
        session.setPassword("ftpPassword");
        session.connect();

        Channel channel = session.openChannel("sftp");
        channel.connect();
        ChannelSftp sftpChannel = (ChannelSftp) channel;

 //Just an example - I wull upload 4 dummy files       
 for(int i=1; i<4; i++) {
            sftpChannel.put(/*Here I navigate to a file, and repeat it 3 times for 3 different files*/);
        }                     
        sftpChannel.exit();
        session.disconnect();


        status = "SUCCSSES" ;
    }

In a real application I may have a different ftpServer/host, user and password, so they have to come in as parameters. I know I can do it either with @PathVariable or @parameters - to do it via HTTP GET, but this way everyone will see what gets passed.

How can i pass the input information, so that it remains secret?

Gabriel Robaina · Accepted Answer · 2019-07-24T22:33:38.870

Usually, when you are dealing with a microservice that is triggered by an HTTP request, a POST request is the way to go to secure information being sent.

As you can read here, on a POST request data is sent inside the request body, and not as a parameter. In the POST body, data should be formatted as JSON (key: value pairs) and its structure should match the object received by the method as an argument. For example:

@RequestMapping(method = RequestMethod.POST, value = "/ftpProcess", produces = "text/plain")
    public String ftpFiles(@RequestBody ExampleObject jsonObject){
        return null;
    }

For instance:

Every key value on the JSON body has to mach an attribute of the referenced jsonObject, so that the corresponding values will be automatically set on deserialization.

You can always use tools like Postman to test POST (or any, to be fair) requests by editing its body and sending it to the corresponding endpoint on your server.

For example, if you have an object like so:

public class ExampleObject {

    private String valueA;

    private String valueB;
}

You can send a POST to your endpoint like so. When the request reaches the endpoint on your server, your ExampleObject will have its attributes set like specified in the JSON body.

Thank you. This seems like something I am looking for. If I accessing the microservice from an application, how would I make a call to it to "send" that json object? — Dmitriy Ryabin, Jul 24 '19 at 16:59
I will take a screenshot of a POST request with a JSON body when I get home, to make the example clearer for you. For now, please consider downloading Postman... Is the go-to software for HTTP request testing. — Gabriel Robaina, Jul 24 '19 at 17:17
Could you solve your implement it? Did it solve your problem entirely? Consider marking it as a correct answer so more people can refer to it in the future. — Gabriel Robaina, Jul 28 '19 at 23:13
I was able to use this example from @Gabrielle Pimenta and it worked for my case. — Dmitriy Ryabin, Jul 30 '19 at 18:22

score 0 · Answer 2 · answered Jul 23 '19 at 21:35

0

You can use RequestHeaders.

public String ftpFiles(@RequestHeader("accept-language") String header1) throws....{
}

answered Jul 23 '19 at 21:35

YoManTaMero

391
4
10

How to secure values being sent via HTTP request?

2 Answers2