How can I ensure an http request comes from specific user?
Question
I am writing an additional service for a website, which utilises the existing login behaviour, while requiring some additional signup details from the user. The new service runs in a different subdomain.
The user will be able to create resources on my data web app, which must be saved against that user's data collection.
I expect that this user identifier will be passed to the webapp in the body of the http request. However, I am concerned that a malicious attack could rewrite the user name in the body to make requests appear as if from another user.
What can I do to make this safer? (And does this count as a CSRF attack?)
The new service is written in Java, with Spring 3.
2 answers
solution1
5 ACCPTED 2012-01-04 17:33:33
You can never ensure an http request comes from a specific user, you can only attempt to validate a user and a request. Usually this is done by creating a ticket during the login or authentication process, then requiring that ticket on subsequent requests. You can then match the ticket with the user and accept that as valid. The ticket expires after a period of inactivity, requiring the user to login again.
solution2
0 2012-01-04 17:34:41
You should pass the requests through the same security stack that the main website uses if at all possible.
If it isn't possible, I would use Spring Security to handle the authentication. I'm not sure what plugins already exist for Spring Security for authenticating service requests like that, but you could always require that a cookie be used for the session, and then it's just a matter of the client dealing with the authentication steps.
So, you could use a "normal" form logon, or you could put together a token request setup, but that is much more involved.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.