I have a web-service which is used to create entries in the Database hosted by GoDaddy and the web-service are written in .net and this web-service or url will be only used in the Mobile Platforms like IOS and Android.
Now I have few questions?
1>How can I secure my URL(web-service) and its content from getting exposed?
Currently I have used post method so that I can hide the parameters but still I fear the URL might be hacked so please suggest a way to secure.
2>Regarding the contents I want to encrypt the data and send to server and in server side it will be decrypted .
Now please suggest me an algorithm or code which can be used across platform like IOS,Android , .Net
Thanks and Regards,
Anil
Use HTTPS
Use login/password auth (no access at all without login and
password)
Related
I have a backend server in which is developed using Symfony 2 framework and FOSUserBundle as authentication provider.
I have made a custom (simple controller that return JSON) API to handle communication between server and the mobile app.
So basically all methods in this API need an authenticated user.
Blow is a little discussion between the server and the mobile app of what I’m planning to do :
mobile app: send https request with parameters(email and password)
server: verify email & password, generate a token, store it in the user table and send it to the mobile app
mobile app : include the token in future requests
server: getUserByToken() and continue the rest of logic
My Questions:
How to achieve credential(email & pass) verification on the server using FOSUserBundle (or anything else)?
I’m wondering what if a hacker use the Man In The Middle technic, get the token and use it to send requests to the server?
Disclaimer : I’m very novice in security and intermediate Symfony 2.
I’m sorry for not including image which will explain more(I haven’t enough reputation).
1.How to achieve credential(email & pass) verification on the server using FOSUserBundle (or anything else)?
Symfony2 handle it for you. You have an example of login here with FOSRestBundle using FosUserBundle. You just need to modify the code for only login with mail.
I am developing an apple app which talks to a restful PHP web service.
Ideally i want this web service password protected.
What is the best way of achieving this,
Is it better to use a technique similar to OAUTH or is it over kill?
Or is it better to send user password and username in server each command and check its legit before caring out each individual command.
Thanks
It depends on the client. If the client is 3rd party, then it needs an OAuth like solution with access tokens. If the developer of the service and the client is the same, then the basic auth approach is enough. Ofc. you have to use encrypted connection.
I need to use Active Directory Federation Services (ADFS) authentication in a Django application. I will create an authentication backend, but which tool would someone recommend me to make it as fast as possible, or would it be better to implement authentication from scratch?
I have read some articles from the Microsoft website, and have checked:
http://claimsid.codeplex.com/
http://msdn.microsoft.com/en-us/library/ff359102.aspx
But even though they explain some core concepts and ideas about ADFS and SSO, the examples are in my opinion more .NET stack focused.
Writing a basic client in .NET and sniffing the traffic would give you all necessary clues to actually implement the flow in any technology.
Basically, your django app has an endpoint adfs uses to return back. You register the endpoint in adfs (like https://myapp.com/authgateway).
Then, your application initializes the flow by redirecting to https://adfs.address/adfs/ls?wa=wsignin1.0&wtrealm=https://myapp.com/authgateway
Adfs picks the request and validates credentials. Then it creates a SAML token and redirects back to your application with a POST request containing the token.
Then comes the difficult part, the SAML token is a plain xml you can use to establish a local user session. One of the claims contains user name provided by adfs, other claims can contain roles, the email, whatever you configure at the adfs side.
But, to prevent forging, you need to validate the token. The validation consist in checking the XMLdsig signature and verifying that the signing certificate thumbprint matches the thumbprint of the adfs signing certificate. Depending on how much knowledge on x509 certificates and xml validation you have this can be easy or difficult. Try to find any support in django community.
Anyway, as you can see the basic flow is simple, is a matter of two redirects, a 302 from your application to adfs and a POST back from adfs to your application. Although we do this daily in .net, our partners do it in php/java under our guidance.
There's a package available for this here:
http://django-auth-adfs.readthedocs.org/en/latest/
This is a similar situation to the one raised in this question:
Javascript Calling a Rest API with App Name and App Password - How Can i Secure it
Here is the architecture overview:
The site is Html5/jquerymobile
It contacts what I call a "Wrapper" service.... This is a REST API I wrote in C#, to contact another 3rd party REST API. I do this because there are credentials in the Header and the API uses Basic Authentication. Credentials are therefore not publicized as they are only known server-side.
My "Wrapper" service does not currently implement any additional security. It is currently accessible from anywhere. The easiest and quickest way to lock it down is to restrict by IP, so no other IP anywhere except the server can actually contact my wrapper service.
The questions:
Is the locking by IP the only way to ensure that the API won't get hammered if it was otherwise accessible from anywhere?
If I convert this using Phonegap (which I have... and deployed successfully on Android), obviously the native app won't work if the web service is restricted.
Is there a way around this so I can allow traffic only from the mobile app, and not from any other source? I'm thinking along the lines of MD5 hash or something that could be sent to the wrapper API.. but unfortunately I'm thinking that info can easily be "sniffed".
Is my only viable option here to release the app as a web app, forcing browser use, thereby removing any concerns about allowing my web service to be hammered??
I believe the answer to this is a combination of a user token and encrypting the message through SSL.
The server can issue a valid user a token so we can identify him in future requests.
Encrypting it via SSL will ensure that this token cannot be sniffed.
https://security.stackexchange.com/questions/12531/ssl-with-get-and-post
frontend dev here with no experience with SSO so bear with me. Keen for a high-level recommendation on the following as I can appreciate it may vary.
We've got a client setting up SSO to login to our site, and Im trying to understanding how I can safely call their webservices for user info from our domain via AJAX. Looking at their services they're asking for a User ID and Password which I dont think is usable/feasible as I assume our system would need to expose the password to the frontend which doesnt seem secure... They mentioned they could pass these via http but that doesnt seem secure either!
Is there some sort of way we can validate the webservice all via SSO or is there some other way?
Thanks
Further my comment, we're pushing ahead with using the shared encryption method used for our SSO (TripleDES in ECB mode) to encrypt the token in the webservice request