Restricting Access to Java Servlet

Question

I'm writing a Ionic mobile app that sends HTTP requests to a Java servlet. The HTTP request urls contain user information and will be used to update the backend database. However I don't want anyone other than my app users to just mess up my database by sending HTTP requests from external sources. The user is not required to log in to use my app, so I couldn't verify the identity people sending requests. The only solution I thought of so far is sending a key along with the request, which will then be verified on the servlet. However this hardcoded way is far from satisfactory. What would be a better way? Or am I connecting to the backend wrong? I'm open to all suggestions.

Answer 1

If you are updating data without validating the user credentials, then anyone can update it, as it is simply a matter of modifying the user agent and sniffing the secret key in your payload, which is as secret as the URL itself. You will have to figure out a way to authenticate the connection, eg sending across a hash of the data you are sending with the data, salted with a unique key that you generate during application install, and a generated user ID, and is sent to you during the install. You can then keep the unique key in your DB, and whenever you receive a request, you hash the data and match the hash to ensure that it was sent from the mobile device.

Answer 2

In my experience, sending a client secret in a header to your servlet and then verifying that this secret is valid is a good way to go on this.

You could store a list of valid secrets (if you had multiple clients) and then verify that one was included in a header for any request which was sent to your servlet.

Another thing to keep in mind is that if you want communication to be secure, you should enforce that https requests are used (instead of http), otherwise client secrets will be sent in plain text. This would make it easy for an attacker to see the secret and use it in their own requests.