Secure webservice call in Java

Question

I created a webservice on an apache PHP server and I want to be able to call that webservice within java without using an httprequest.

My initial idea was to use a query string to pass an API key to update a database record. But than I smacked my head and realized a user could just decompile my code and see the request and use it in any browser. Is there a secure way of doing this?

I am trying to track statistics and if the user got a hold of the httprequest they could just go into a browser and goto the URL to mess with the numbers.

The request is just query strings. Like www.example.com?apikey=aausy7556ze&stat1=this&stat2=that

I want a way that this request either doesn't work in browsers or somehow do this without an httprequest. Hope that makes sense.

or just sniff the port call; this can never be done invisibly — , Aug 17 '11 at 04:43
I'm almost certain if you want to do it securely you'll need to do it with SSL. — javamonkey79, Aug 17 '11 at 05:22
I added more info there. Not sure I was very clear the first time. — Tyler, Aug 17 '11 at 11:49

score 1 · Accepted Answer · edited May 23 '17 at 12:04

Let's explore few options that doesn't necessarily involve obfuscating your code (though it always help to do so):

If you don't want to use HTTP, you have to pretty much define your own protocol and use direct socket communication. This would ensure no one can access your service via http. This approach, however, is a painful one especially if you have a large number of webservices built in already.
If the two servers (PHP and Java) are on the same internal network, you can restrict the WebServices to accept request from internal IP address only. This way, no one from outside can go to their browser and try accessing your web services via the browser.
Another method is using client certificate over secure http. What you would do is install a client certificate on a Java server (make sure this certificate cannot be downloaded from the internet) and setup the webservices to only accept request via https + client certificate validation. You would then call the services with this client certificate and only a call with a valid certificate would be accepted on the webservice. For setup you could check instructions at http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9 (Note: I have not done the setup myself, but have seen it works. ). Since the servers require client certificate that only the Java client has, no one else can call your webservices. Refer to this stackoverflow question Java client certificates over HTTPS/SSL to setup your Java to call the PHP webservices

Now, of all three, #2 is the easiest and probably be enough for your purpose. Number 2 can also be combined with #3 for added security. Together that should be enough from preventing the user to access your services from the browser.

This is the kind of answer I was looking for. However, putting a certificate on the server that runs the Java server could be troublesome as there are multiple. They are also not on the same server. However, I am curious about the socket protocol. If you have a link to an example that would be great. Otherwise I will do a quick google for now. — Tyler, Aug 22 '11 at 18:59
You are basically creating your own way of client-server communication over socket programming. Well known protocol other than HTTP is SMTP protocol for email. Check http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol especially the section "SMTP transport example" on how Server and Client communicating. All SMTP Clients are following this protocol. For your case, you are going to create your own request/response protocol. Note though, if this protocol is breached, one can always try to hack it (via curl or other method), so make sure to use encryption to transfer info back and forth — momo, Aug 22 '11 at 22:47

score 0 · Answer 2 · answered Aug 17 '11 at 05:48

What are you trying to hide exactly? I think I understand that you just want to make sure the traffic is encrypted. If you are writing the client and the service you don't need to use SSL, in fact it is wasteful to do so. Just keep a secret key that both the server and client know about, then encrypt the messages with a symmetric algorithm (eg AES). You can also add some checks to the plain text before you encrypt to make sure it wasn't tampered with (eg add a timestamp, message hash etc etc)

score 0 · Answer 3 · answered Aug 17 '11 at 12:03

I think you are saying is that your server can't trust the client to provide correct values, unless it is your own program. So you want a method to ensure that it's your own client that is calling the service and not another malicious client. You are afraid that any authentication method you embed in your client can be reverse-engineered and the malicious client can then use the same authentication method to pretend to be the legitimate client.

I think all you can do is throw in some obscurity (like you are trying to do by hiding the URL parameters) but there is no real solution to this problem. All the usual security solutions assume that the authentication credentials will be kept off the hands of malicious users. But in your case you cannot trust the client to keep the authentication credentials safe.

You pretty much hit the nail on the head in the first paragraph. I cannot trust users to not mess with the numbers. I am looking into obscurity libraries. — Tyler, Aug 17 '11 at 13:38

score 0 · Answer 4 · answered Aug 17 '11 at 12:15

0

If someone is decompiling your java, all bets are off. The best you could hope for there is that an obfuscator would make it sufficiently difficult to read your decompiled code.

answered Aug 17 '11 at 12:15

Mike Thomsen

36,828
10
60
83

Secure webservice call in Java

4 Answers4