Security with Web Services in Java
Question
We have a client that calls our web services. How can we make sure that it is only our client application that is calling the web service and not a client someone else created that calls our web services.
We'd like to avoid hard coding a password into the application.
3 answers
solution1
3 2011-02-28 18:08:43
A quick answer to your question would be to look into OAuth. Implementing OAuth correctly is a process so I would read up on the protocol documentation . Here is a link to example OAuth client libraries . I would also search StackOverflow for advice on OAuth implementations.
solution2
3 2011-03-01 13:28:18
In this case you can use two-legged OAuth . This is a variation on standard OAuth and used by companies such as SimpleGeo . Then secure the communication with https and you have robust solution.
solution3
1 2011-02-28 22:38:17
If you don't care about clients not running in a browser, then you can use XSRF tokens, a secret per session that is either associated with some session key in your backend, or round-tripped through two separate paths, such as via a hidden form input and a cookie over a secure channel. If you can't secure the channel, you have to make the tokens single-use. See http://www.cgisecurity.com/csrf-faq.html#protectapp
You can't in the general case. A reasonably intelligent hacker can probably reverse engineer any protocol you use, and extract any secrets you embed in the source code.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.