Secure webservice call in Java

Question

I created a webservice on an apache PHP server and I want to be able to call that webservice within java without using an httprequest.

My initial idea was to use a query string to pass an API key to update a database record. But than I smacked my head and realized a user could just decompile my code and see the request and use it in any browser. Is there a secure way of doing this?

I am trying to track statistics and if the user got a hold of the httprequest they could just go into a browser and goto the URL to mess with the numbers.

The request is just query strings. Like www.example.com?apikey=aausy7556ze&stat1=this&stat2=that

I want a way that this request either doesn't work in browsers or somehow do this without an httprequest. Hope that makes sense.

Answer 1

Let's explore few options that doesn't necessarily involve obfuscating your code (though it always help to do so):

1. If you don't want to use HTTP, you have to pretty much define your own protocol and use direct socket communication. This would ensure no one can access your service via http. This approach, however, is a painful one especially if you have a large number of webservices built in already.
2. If the two servers (PHP and Java) are on the same internal network, you can restrict the WebServices to accept request from internal IP address only. This way, no one from outside can go to their browser and try accessing your web services via the browser.
3. Another method is using client certificate over secure http. What you would do is install a client certificate on a Java server (make sure this certificate cannot be downloaded from the internet) and setup the webservices to only accept request via https + client certificate validation. You would then call the services with this client certificate and only a call with a valid certificate would be accepted on the webservice. For setup you could check instructions at http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9 (Note: I have not done the setup myself, but have seen it works. ). Since the servers require client certificate that only the Java client has, no one else can call your webservices. Refer to this stackoverflow question Java client certificates over HTTPS/SSL to setup your Java to call the PHP webservices

Now, of all three, #2 is the easiest and probably be enough for your purpose. Number 2 can also be combined with #3 for added security. Together that should be enough from preventing the user to access your services from the browser.

Answer 2

What are you trying to hide exactly? I think I understand that you just want to make sure the traffic is encrypted. If you are writing the client and the service you don't need to use SSL, in fact it is wasteful to do so. Just keep a secret key that both the server and client know about, then encrypt the messages with a symmetric algorithm (eg AES). You can also add some checks to the plain text before you encrypt to make sure it wasn't tampered with (eg add a timestamp, message hash etc etc)

Answer 3

I think you are saying is that your server can't trust the client to provide correct values, unless it is your own program. So you want a method to ensure that it's your own client that is calling the service and not another malicious client. You are afraid that any authentication method you embed in your client can be reverse-engineered and the malicious client can then use the same authentication method to pretend to be the legitimate client.

I think all you can do is throw in some obscurity (like you are trying to do by hiding the URL parameters) but there is no real solution to this problem. All the usual security solutions assume that the authentication credentials will be kept off the hands of malicious users. But in your case you cannot trust the client to keep the authentication credentials safe.

Answer 4

If someone is decompiling your java, all bets are off. The best you could hope for there is that an obfuscator would make it sufficiently difficult to read your decompiled code.