I have a web application on my domain, I just allow so IPs to connect, talk and retrieves from my app, now the problem is that another API needs to talk to my app and retrieve info, but I can't open my app to the public , also the API doesn't allow token authentication, it just wants to connect to my app from any IP, any ideas to solve this?
a third party is an option but I need another practical option
I am trying to answer your question from whatever I can understand, if api does not allow any token authentication , then you need to implement something which will authenticate/validate/verify the incoming requests.
Now, if you don't have any scope of changing the implementation of the existing api, then probably you need to add a layer of say API Gateway. If you are using or want to use spring boot then it provides very simple implementation of it through Netflix Zuul.
If this doesn't answer your question, please provide more details.
Related
I need to create register/login functionality in CQ5. There are three ways
1 - The register/login functionality should be prepared as web service hosted on a Java Application Server and then we can consume data from web services.
2 - The functionality should be prepared as web service based on RESTFull that hosted on CQ itself since AEM is developed around the REST principal and REST web services is certainly one which will be supported. So I believe RESTfull web services can be hosted with CQ5.
3 - Why do we need web services? I do not think it requires web services since my application is not going to communicate with other application and it dont want to expose any services to outside world. Why don't we create register/login functionality as we do in normal web application. Can we create a OSGI bundle that invoke databases to store user details for register/login functionality?
I would go for 3rd option but my concern is AEM is not the place to build our business logic to carry out functions that are not related to content rendering.
which option would you choose and why? Kindly share your ideas and thoughts. I am just looking for best solution to develop register/login functionality in CQ.
Thanks
I think i am late to the party but it might help someone. Yes, you can very well create rest webservices in CQ and they work well. So, you can take that approach.
The way to go about implementing login/registration would be how it is done OOTB but OOTB is also bad in the way it implements it so you have to make modifications to overcome that.
1) You need to register and Authentication handler with CQ. If you are looking for a sample there is a form authentication handler source that you can look at.
2) We have integrated out Auth handler with Active Directory (AD). Since AD is supported by default, so it is easy to integrate with Auth Handlers.
3) Next you need to create a user login token for which you can look into TokenUtil class of CQ or if you are looking to develop SSO, you can look into SSO code that is packaged OOTB.
We have developed web service(as well as generic handler) based web application.But it seems that the methods could be invoked by using different tools like (Poster,Advanced Rest Client) to get the secure information of Administrator and could do malicious activities.We would be grateful if you provide us the best possible method to make the method inside webservice or generic handler becomes secure.
What you actually want is to probably know more about WS-Security in your respective technology
Wikipedia: http://en.wikipedia.org/wiki/WS-Security
Microsoft: http://msdn.microsoft.com/en-us/library/ms977327.aspx
Java: https://ws.apache.org/wss4j/
The above works if you expose as SOAP web service.
For REST web service, I found this link:
Security of REST authentication schemes
I am currently working on a single-page web application. The web app will make calls to a REST-like API for authentication and data storage. We are currently in the middle of securing the application, and have worked out a strategy securing the site so only registered users can gain access. But one thing we also want to do is securing the API from others to write their own applications, or access it in any other way than through our web application. The problem from my view is that the API will be open for everybody and not only for my web application.
Anyone who knows how to do this, or who can point me in the right direction. Because right now, don't have a clue.
Considered using certificates and validation?
Your API should only be accessible, if the session of the client is authorized. That's pretty much anything you could do.
There are complex approaches like using client- and server-side encryption or something really basic: render a secret in your webpage that validates the user again on every request.
You could check the headers, where the original request comes from. And so on...
But as most of that is public in a users browser, anyone could read it and adopt it in a third party app.
So save yourself and the people that really want to do a third party app some time and provide a public API :)
Simplest way will be to use OAuth 2.0 ( supports both authentication and authorization) which you need.
Also ensure you secure the data on wire using TLS (HTTPS) and any of the options below
1. HTTP Digest
2. OAuthn 2.0
3. Certificates ( Shared secret)
Stick to HTTPS+Oauth2 for now.
You could lock down your you API to accept requests from known IP's. Also depending on how your network infrastructure is designed, your web application can sit in a DMZ and your API on an internal network accessible only by servers in your network, one of which will include your backend API (This article here info https://www.digitalocean.com/community/tutorials/5-common-server-setups-for-your-web-application has some tips). For better security, a secure network design in addition to an application security framework implementation like OAuth2 and HTTPS (mentioned above). For API's, I've found that resource based authorization works better than role based authorization. Lastly, constant review of your security setup is vital as things change all the time. A good approach to this is Threat Modelling described by OWASP here https://www.owasp.org/index.php/Application_Threat_Modeling
I am working on a cross platform app that will be created using C++-> mobile devices, and using Perl-> Desktop PCs (like Windows /Linux/Mac OS).
Now, since the app will be downloadable, I have concerns regarding the ability of hackers to obtain the source code of my app.
Specifically, the app will connect to my central database-- at the minimum, I want that hackers are not able to obtain my database connection details. Ideally, I would want no part of the code to be hacked.
Basically, the user can update some of his information using this app-- if hackers get hold of this data they can easily change any unfortunate user's data. One thing that I have thought of is that the user will have to initially authenticate with OAuth/OAuth2 ( using his email ID #yahoo/#hotmail/#gmail)-- and only after that the app will actually show the admin interface. But at any rate, at some point the app will connect to the central database-- which is why I dont want the database's access details to be compromised.
Many organisations make such apps, so they must be facing this type of problem themself? I would like to know how I can protect my app (ideally entire code), and atleast the db credentials.
The simple answer is you do not expose your database. Ever.
Add a service layer (could be HTTP-based but doesn't have to be) on top that will deal with authentication and authorisation. Your app then logs in using the user's credentials and acts on their behalf. Your service layer exposes an API which your application talks to, but your service makes and controls all calls to the DB.
You already mention OAuth - that's a perfectly acceptable way of adding authentication to such an API.
You cannot.
On the bright side you can put security on your server. The connecting client provides credentials that they are a given user. The server generates the SQL command after proving the request is allowed. Backers can do anything your app can do, but your app becomes incapable of behaving badly to your database.
The previous answers are absolutely correct. You want a server based service layer that provides the authentication/authorization code and interacts with the database. However, it isn't always a perfect world and if you are stuck with the requirement that these applications must act as a database client you want to limit the exposure as much as possible. Typically this is done by having the client use a specific account which has not been granted any access to the general database. You then create specific stored procedures that can only do the operations and queries that are required of the application. This prevents anyone finding the credentials in the code from doing anything in the database that isn't intended, but you still have the problem that anyone can impersonate someone else by reviewing the code. There isn't a way to prevent that without a server side component. This might be okay for a closed/trusted group of users, but I wouldn't release anything to the general public with this method.
If you can do it, use OAuth2 and allow a trusted third party handle authentication. Twitter, Facebook and GitHub are all relatively paranoid about security; and the other poster is correct: never expose direct db access as part of the app the user has access to; put it behind a service of its own.
Good luck! :)
Now I am creating an iOS application. I also implemented some web services. My requirement is : "The user should be able to call a web service API by Sending a Text Message(SMS)". After a lot of research I found out that there a provider called Clickatell(http://www.clickatell.com/). But I don't know how can I configure it? Please help me in configuring this. Or Is there any other APIs or SMS gateways providing this service?
Disclaimer, I do developer evangelism part time at Nexmo.
Here are a few SMS APIs that I've used (I've not really used Clickatell, but I've gone through the signup process, and the following APIs seem a lot simpler to use):
Nexmo
Twilio
Tropo
All three APIs are straight forward REST/HTTP APIs.
You can call the API directly from your mobile application, however, you should consider if you really want to then compile your API credentials into your application. It may be better to host a kind pf proxy that your application uses - here's some example code used as a verification service, but it's essentially the same concept: https://github.com/Nexmo/Verify
I would suggest to take a look at Mogreet's new Developer Web Site
Very easy to use REST/HTTP APIs and very powerful. It supports sending SMS/MMS with awesome quality for all media types.