16

I would like to build the following project:

  • public REST API back end which can be accessed by any authenticated client
  • front end with static files in HTML/CSS/Javascript with Backbone.js jQuery calls to the REST back end

In fact, there are three parties in my architecture : the front end, which is a client of the back end, the back end and the user which wants to authenticate on the front end login page.

What is the best way to secure the three parties involved in this architecture ?

In fact, I believe it is just impossible to do a secure app on the front end if I do everything in javascript, so I intend to delegate the authentication/authorization to a proxy layer on my server front end. What do you think about that ?

I intend to use OAuth to secure my REST back end, but I am not sure if I have to use the 2 or 3 legged implementation. What is the right approach in this case?

UPDATE : while searching a deep more on SO website, i found this thread which is exactly what i would like to do, except i want to use Java on server side and not DotNet. If i understand well, in fact my web site is like any client of my REST API, except it is the only one which has the right to create new users' accounts. Because, if my REST API is only accessible by OAuth (like Twitter's one), who can perform the user account creation before ? Am i right ?

Community
  • 1
  • 1
rico
  • 1,843
  • 2
  • 24
  • 41
  • 6
    You are correct that any authentication/authorization done in js is worthless since the user can just turn it off or spoof it. – Thomas Dec 17 '11 at 16:42
  • @rico FYI, you might be able to get some more answers at http://security.stackexchange.com. – Micah Dec 17 '11 at 21:33
  • @Thomas, it is as worthless as client side form validation. – amirouche Dec 18 '11 at 16:32
  • In fact, my problem is that i don't know how to perform authentication by simple username/password (or openid) and perform authorization (with OAuth ?) on the client side. – rico Dec 18 '11 at 22:13

1 Answers1

3

One major concern with security with this architecture is testing. Automated tools will have trouble testing this system for common vulnerabilities like SQL Injection, Direct Object Reference. A useful tool for testing strange architectures is OWASP's open source Zed Attack Proxy or the proprietary BURP proxy. Testing will be time consuming and requires someone who has a good understanding of web application vulnerabilities. We often refer to these people as Pentesters.

A RESTful form of keeping session state is to use an HMAC to protect the values from modification. However, this is a misuse of cryptography because it opens the door for attack. An attacker can brute force the secret key used in your HMAC and then modify values such as his session id or otherwise gain access to another account on the system. Cryptography should only be used when there is no other option. This vulnerability is prevented entirely by storing session state in a database, which isn't RESTful.

rook
  • 66,304
  • 38
  • 162
  • 239
  • Thank you for the Testing purpose, but my question is more oriented on how to authenticate users on my web site client and authorization on my back end – rico Dec 19 '11 at 13:55
  • @rico, Why would that change? How is this any different than an html application with plain old get/post? Just use a session on the backend. The browser keeps track of a cookie. In the session data you keep track of their session id, and include it in all sql queries to prevent insecure direct object reference. Just like HTML you still have to worry about CSRF, sql injection, xss, ect... – rook Dec 19 '11 at 16:44
  • what do you mean by session on the backend ? It is a REST back end, so i suppose you mean something which would play the session role, a token would you mean ? – rico Dec 19 '11 at 18:59
  • I am not sure to have understood. What do you want to store in the back end database ? Do you think OAuth, which is used by Google, Twitter and so is not secure ? And what do you think about Amazon authentication rule for its [S3 REST API](http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html) ? Thank you Rook. – rico Dec 20 '11 at 12:37
  • I have just run into the direct object reference problem myself. It seems like there is no right answer. Using some HMAC can be brute forced. Otherwise session info destroys REST. Are there any other options? – uriDium Sep 25 '13 at 12:02
  • @uriDium Authentication is a state that cannot be avoided. In a RESTful you still need some form of state for purposes of security. – rook Sep 25 '13 at 15:56