Announcement Announcement Module
Collapse
No announcement yet.
Security in Spring RestFul Services with Swing Client Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security in Spring RestFul Services with Swing Client

    Hi All,

    We have designed a spring based business application which is hosted over web. The server system have n number of rest services exposed which processes request returns JSON data. On the other hand, we have multiple client written in Swing Core Java, Android Mobile Application and a different light struts based web application, which are communicating with our business server.

    Now we are looking to secure our business server from unwanted hits (if somebody else knows the HTTP urls of the services). We need to ensure that business server only process the requests if the request is coming from one of our client.

    Can anyone please suggest me that what kind of security implementation will be suitable for this.

    Thanks in advance,
    Regards,
    Satty

  • #2
    Hi Satty,

    I'll let one of the Spring Security gurus here speak to a Spring Security based solution to this problem.

    However, if you have access to the app server(s) configuration that hosts your RESTful services, you could be able to configure it/them to restrict access to specific hosts based on IP, IP range, or CIDR. What are you running as your app server?

    Ideally, I would do this at the load balancer or firewall level. (My company does this on our BigIP.) Are you running anything like that? If not, I would restrict at the app server level as mentioned. I would *personally* use Spring Security as a last resort... not because Spring Security cannot handle such tasks, but for mainly philosophical reasons and also some practical ones such as resource management.

    Cheers

    Comment


    • #3
      Hi Damrass,

      Thanks for Suggestions !!!

      Totally agree to your suggestion that we should make this security filter before spring comes into picture. I was also thinking in the same way to accept requests from some specific IPs, it resolves the problem for the pieces which are under our control (Like Web App and other controlled third parties), but the problem comes when we think about users who are using our licensed Swing application/Android Applications from their local networks.

      Can you give me some Idea that if some kind of "Certificate" (may be client certificate) can help here. Actually I am not very sure that how Client Certificates work, so if you have some idea and if someone can suggest that, YES it can solve my problem, then I will find a way to implement that. But due to time crunch, I am not in the favor of hit and try.

      Thanks !!!
      Satty

      Comment


      • #4
        Maybe I misunderstood you. The RESTful services -- are these going to be consumed only by you, or are these open to your customers as well?

        Or are these services going to be installed by your customers? (I'm confused by what you mean licensed.)

        If your customers will be consuming the services you are hosting, then I would implement something like Basic HTTP auth (over SSL of course) or oAuth. I prefer Basic HTTP auth in my own RESTful services just because it's so easy to implement--on both ends. You can generate username/password pairs for customers and revoke them if the customer leaves or that pair becomes compromised.

        Comment


        • #5
          Maybe I have not explained it correctly... ;-) Let me try it again... so the scenario is:

          Application is all about order placement using android application (by public) and processing and updating order status by authorized person using swing application or web ui.

          1. We have one spring rest service based application which is holding all our business services.
          2. We have 3 type of client pieces which are supposed to work with above application. These are

          a - Swing application: This application will be distributed to limited clients. (Like processing of orders)
          b - Mobile application: This is for use of public for some different services. (Like placement of orders)
          c - Web application: This is an alternate to "a" and is used for order processing.


          In all communication from these 3 client to server we are doing basic authentication and authorization with uid/pwd.

          Now problem statement is: In our business application all services are available on public ip (and it is required), now if somebody can simply get to know the URLs of our services (even if he does not know the credentials), he can down our business application by putting heavy traffic on the services with wrong credentials. So to avoid these kind of attacks, we want to put some strategy so that our business server simply discard the request if it is not coming from a/b or c, and even do not put efforts to validate the id and pw here.

          Now a/b/c are all under our control. So what kind of strategy we can put here to know the requester (at server), So that we can decide whether to process or not the request at very initial stage.

          I am not sure if it make sense to you...

          Appreciate your efforts to response...

          Thanks,
          Satty

          Comment


          • #6
            Originally posted by satising View Post
            Maybe I have not explained it correctly... ;-) Let me try it again... so the scenario is:

            Application is all about order placement using android application (by public) and processing and updating order status by authorized person using swing application or web ui.

            1. We have one spring rest service based application which is holding all our business services.
            2. We have 3 type of client pieces which are supposed to work with above application. These are

            a - Swing application: This application will be distributed to limited clients. (Like processing of orders)
            b - Mobile application: This is for use of public for some different services. (Like placement of orders)
            c - Web application: This is an alternate to "a" and is used for order processing.


            In all communication from these 3 client to server we are doing basic authentication and authorization with uid/pwd.

            Now problem statement is: In our business application all services are available on public ip (and it is required), now if somebody can simply get to know the URLs of our services (even if he does not know the credentials), he can down our business application by putting heavy traffic on the services with wrong credentials. So to avoid these kind of attacks, we want to put some strategy so that our business server simply discard the request if it is not coming from a/b or c, and even do not put efforts to validate the id and pw here.

            Now a/b/c are all under our control. So what kind of strategy we can put here to know the requester (at server), So that we can decide whether to process or not the request at very initial stage.

            I am not sure if it make sense to you...

            Appreciate your efforts to response...

            Thanks,
            Satty
            By having no authentication on your services - you have exactly the same risk - but you also have the additional risk that users can do things with your data. Which is really bad. If it were me, I'd fix that first and foremost and then be concerned with how to handle a DOS attack.

            Comment

            Working...
            X