api,security,rest,spring-security , Securing mobile REST Api with spring Security enough?


Securing mobile REST Api with spring Security enough?

Question:

Tag: api,security,rest,spring-security

I'm planing to make a little mobile app that will rely on a java (spring-spring mvc) rest API. The API will have paths that look like this for example:

/rest/account POST (will create a new account (account is composed of a username+pass+email)

/rest/photo/like for example that modify behaviour and add things to the DB...

I'm also planing to use Spring Security to handle the authentication/authorisation. So the mobile app before to make any authorise call (for example to /rest/photo/like) it will have to login (so the basically to /security_check?j_username=username&password

And from now on every request will have to include the JSESSIONID in the cookie.

My question is, is this secure enough? Do I have to use OAUTH2? Or is it overkill?

Bonus question: As you don't need to be authenticated to make the /rest/account call to create an account, what is the best way to avoid that a user create 1000000 accounts ?? Apache/ip-filter? Or should I handle this in some interceptor in spring-mvc ?


Answer:

1) Yes, from your requirements description I will say Spring Security will do fine. (REST services are usually stateless instead of using sessions, but Spring Security can handle both.)

2) You don't need to use OAuth2 unless you want to pull information from user's Google or Facebook account or something like that.

3) The bonus question is not trivial. A common way is to use a CAPTCHA. You could use OAuth to for example limit the user to one account for every Google/Facebook/X account they have.


Related:


Reverse ^ operator for decryption


c,algorithm,security,math,encryption
I'm trying to reverse the following code in order to provide a function which takes the buffer and decrypts it. void crypt_buffer(unsigned char *buffer, size_t size, char *key) { size_t i; int j; j = 0; for(i = 0; i < size; i++) { if(j >= KEY_SIZE) j = 0;...

Is there any way to find out when an album got added to spotify with the web api?


javascript,api,web,timestamp,spotify
My usecase is to present the latest added album of an artist (regardless of releasedate). I use the https://api.spotify.com/v1/artists/[artistId]/albums to get the albums but I can't find any information about how the response is ordered. Is it random or actually sorted by the date the album got added to spotify?...

Instagram API Comments Created using Python (ERROR: AttributeError)


python,api,python-2.7,instagram,instagram-api
Hello I trying out Instagram API using python and I am new to it. Hope you guys could take a look at it & help me out. I am wondering how to collect the date & time from users that have commented for each media id. I have tried using...

REST api : correctly ask for an action


api,rest,endpoint
I'm currently working on a REST api. I've read a few times how to handle endpoints the right way, using the protocol (post, put, ...) to define which action should be made. Let's say I have a list of quotes. I have : a GET endpoint /quotes that let me...

Role concept in the authorization


java,security,authorization
I'm writing the following public interface SecurityService{ public Error tryLogin(String usr, String psw); public String getRoleCurrentUser(); //Attention here } and of course, there will be a couple implementations. For instance, now I have public SpringSecurityService{ @Autowired AuthenticationManager authenticationManager; public Error tryLogin(String usr, String psw){ //Implementation here } public String getRoleCurrentUser(){...

How to restrict file copying shared using Content Provider in Android?


android,security
Is it possible to forbid making copies of files for third party applications (like adobe reader), that I am using to open pdf files stored in internal memory of my application?

Protect images download theory


javascript,html5,image,security
I am a full-time developer but am building a site for my photography hobby. I dont want people to download my images and besides the usual procedures (disable right click, block hotlinks to my images etc.) i was thinking about a solution which would work 99% of the time. The...

Code fails for decrypting without salt or iv in Java


java,security,encryption,aes,password-encryption
I have a ciphertext and a 256-bit key to decrypt it, using AES. There is no salt or iv. I am using Java. I have implemented many of the solutions online, but they all use salts and input vectors. The following builds fine, but fails at runtime: "Salt not found."...

Inbox api use them to tag relevant mails just like inboxsdk.com


python,api,google-inbox
I tried using newly released Inbox api to sort out and tag my mails, but I am stuck at categorising mails after I had successfully logged in using api.

IOS Use Core Data Only in Specific Parts of an app


ios,api,core-data
I'm new to Core Data and trying to use it for persisting objects for offline support in an app communicating with JSON Back-end. I was using NSObjects for my models and now use NSManagedObjects. I only need to save these server objects in a few parts of the app, and...

How to make the Twitter API returns me over 800 tweets


api,twitter,timeline,tweets,home
How to make the Twitter API (home_timeline) returns me over 800 tweets? For example applications like tweetbot how do it to have more updates in the 3000 home timeline? I think that using a cache system but which one?

Link to another resource in a REST API: by its ID, or by its URL?


json,api,rest,api-design,hateoas
I am creating some APIs using apiary, so the language used is JSON. Let's assume I need to represent this resource: { "id" : 9, "name" : "test", "customer_id" : 12, "user_id" : 1, "store_id" : 3, "notes" : "Lorem ipsum example long text" } Is it correct to refer...

CORS, Client vs. Server & Rails API GET Request


ruby-on-rails,ruby,api,curl,client
I've built a GET Rails API that checks for an access token and that the registered request.env["HTTP_X_REAL_IP"] matches the IP address that is registered within the admin panel of the app. Example request: https://staging.mysite.com/api/v1/products?access_token=7b9f3cddd3914a6f45fa692997fe6dc9 The API works great when I'm making requests from a server by curling the request or...

Reverse GeoCoordinate Class gives Location Not found error


android,api,google-maps,google-maps-api-3,reverse-geocoding
i m using google Reverse Geocoding API in my app, i m succussfully able to get get coordinate using google geolocation API. Now i m trying to get Location Name from Reverse Geocoding API , but always returns Location not found error here is my code: Geocoder geocoder= new Geocoder(MainActivity.this,...

What damage can a website do?


security,web
Now and then I (accidentally) come across websites that my anti-virus warns me about. Out of curiosity, what kind of damage can a website do? I've been working in web development for around 4 years now and can't think of any 'genuine' damage worth warning the user about. Maybe I'm...

When a security update is applied as a patch, does the product name change?


security,patch
When a security update is applied as a patch, does the product name change? I.e. Windows Server 2008 If this server undergoes a patch and/or security update, does it still appear as Windows Server 2008, or does it have to undergo a name change - I.e Windows Server 2008 version...

salt created by Java SecureRandom has different getBytes() value [duplicate]


java,security,salt
This question already has an answer here: how to convert byte array to string and vice versa 13 answers I use java SecureRandom to create salt to encrypt user. However, when I tried to match user with salt and password, they failed on different machine. The user is created...

X509Certificate: what is the difference between getIssuerDN() and getSubjectDN() methods


java,security,authentication,x509
I'm using X509Certificate class in java, and when I want to get the subject name I try: x509certificate.getIssuerDN().getName(); and x509certificate.getSubjectDN().getName(); both methods have the same result. So what is the difference between them ??...

Run Golang as www-data


security,go
When I run a Node HTTP server app I usually call a custom function function runAsWWW() { try { process.setgid('www-data'); process.setuid('www-data'); } catch (err) { console.error('Cowardly refusal to keep the process alive as root.'); process.exit(1); } } from server.listen(8080,'localhost',null,runAsWWW); so the server is actually running as the www-data user to...

Hide sensitive information from git changes


git,security
Is there a way to instruct git to hide my sensitive information. E.g. credentials.php (in local repository). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'password'; credentials.php (in github repository and history). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'xxxxxxxx'; So git automatically hides the information with 'x'. If not via...

Ruby API Call Page Issue


ruby-on-rails,ruby,json,api,httparty
This might be a basic issue but very common so it might be helpful to other people in the future. I use HTTParty to make a get request to an API, which returns some information, something like this: { datapath: "blah-blah.blah.blah", success: true, info: { row_limit: 500, total_results: 2700, total_pages:...

square connect api batch processing


api,batch-processing,square,square-connect
I need assistance with batch processing, especially in adding tax codes to items. I'm experimenting with the square batch processing feature and my sample cases are create 2 items and add the tax code to them. In all 4 requests - 2 for creating item, 2 to 'put' the tax...

REST API with token based authentication


angularjs,codeigniter,api,rest,token
I want to develop a web site with AngularJS. On the backend side I will use Codeigniter REST framework. I have some security issues and I don't want to start developing without fixing them on my mind. I don't want to use something like api key because it will be...

How to POST - API in thingspeak.comusing urllib in Python


python,api,post,urllib
I am working on a project where I have to get data from a website and then post it to a different website. At the moment I am still new, so I am using a thingspeak.com account to experiment on posting, and I am also following the same example used...

Apache Nutch REST api


api,rest,web-crawler,nutch
I'm trying to launch a crawl via the rest api. A crawl starts with injecting urls. Using a chrome developer tool "Advanced Rest Client" I'm trying to build this POST payload up but the response I get is a 400 Bad Request. POST - http://localhost:8081/job/create Payload { "crawl-id":"crawl-01", "type":"INJECT", "config-id":"default",...

Ruby on Rails posting to an API using javascript via a proxy


javascript,ruby-on-rails,ruby,xml,api
I'm very new to Ruby on Rails and I'm hoping this will be a quick fix. I have a very simple form (firstname, surname, email) that needs to post XML to an API on another domain. Everything on our site is clientside javascript so I would like to post to...

Retrieving values from a php service in HTML


javascript,php,html,mysql,api
I am trying to build a website that displays a google map with a user location (lat/long) from a php service that I wrote. I already have a php script that gets the lat/long from a mobile app (via POST from the client), stores it in a DB, and read...

Blockchain receive API with same address


api,bitcoin,blockchain
I need to accept bitcoins on my website (PHP). I'm using blockchain and i have read the api: https://blockchain.info/api/api_receive Is quite simple but i have some questions, but first i will try to explain what i need. Client send bitcoins to my wallet (Any amount they want) Server will be...

How to secure configuration file containing database username and password


php,security
Issue In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this: $DAcess=new PDO("mysql:host=server;dbname=database","login","password"); I don't feel comfortable having...

Is client-side java intrinsically less secure than javascript?


java,javascript,security
Much has been made of a series of bugs and exploits on client side java, leading to the blacklisting of various versions by apple, mozilla, etc. Yet javascript is an even less controlled language without static typing. Today javascript allows for many of the same potential problems: local storage, accessing...

Removing Alert When Using DeleteFile API


vb.net,vba,api,delete
I'm writing a VBA application which involves looping a large number of directories recursively. I am using the FindFirstFile API to to achieve this, as it offers a substantial performance boost over the FileSystemObject. In order to remove the FSO from my code entirely, I need a routine to delete...

Google Webmaster API - Mark crawlerros as fixed


api,http-status-code-403,google-webmaster-tools,google-crawlers
While marking the crawl-errors as fixed via the API, I got an 403 error „Insufficient Permission“. If I only read the erros via the api, I got no errors. I’m the owner of the site and I logged with my google webmaster credentials. I've created the API creditals with the...

JQuery Add expiration to authentication token stored with HTML5 localStorage?


php,jquery,mysql,security,authentication
I am making a mobile game with JQuery Mobile, a multipage template (so all pages in 1 html file, which makes it usable with PhoneGap). Since it is HTML I am using JQuerys $.post function to send data to php scripts such as login.php, register.php, which add/update/delete data from the...

RSA encryption in Android and Java


java,android,security,encryption,rsa
I would like to encrypt a String with RSA encryption. My public/private keys were generated and stored in DB. In android, I use this code: public static String encryptRSAToString(String text, String strPublicKey) { byte[] cipherText = null; String strEncryInfoData=""; try { KeyFactory keyFac = KeyFactory.getInstance("RSA"); KeySpec keySpec = new X509EncodedKeySpec(Base64.decode(strPublicKey.trim().getBytes(),...

Return value -Java API design VS. C API


java,api
I used C a lot before and now use Java. I have a question of API design in JAVA. In C, I always use int as a meaningful return value, and put multiple objects(some of which will be changed) in arguments. e.g, int foo(int x, int y, int *result) {...

Hide referrer header in API request


javascript,api,google-api,cross-domain,referrer
I need to make requests to Google Translate Text-To-Speech API. I have an enabled key but keep getting blocked by No Access-Control-Allow-Origin. I've posted more about it here: Google Translate API - No Access Control Origin with Text to Speech The following sources, http://weston.ruter.net/2009/12/12/google-tts/ and Request to Google Text-To-Speech API...

Use higher API level in android with an external library


java,android,api,android-studio,material-design
Would it be possible to import an external library (.jar file) in an android project containing the features of API level 21, and then use them in my application with a minimum sdk version set to say like 17? I'm really into Matierial Design but as Google states, "To use...

Stuck with nested serializer using Django Rest Framework and default user


django,api,rest,django-rest-framework,serializer
The models and serializers are described in the pastebin: http://pastebin.com/ZxzxWY7V In my database I have a user which also has a member profile and a set of credentials attached to it. Now... when I run this as is and try to pull a user using the AuthUserModelSerializer I get the...

Using Graph API Explorer gets friends list but my own app doesn't . (Graph API Explorer token v.s App Token)


facebook,api,facebook-graph-api
I am trying to get my friends list in my app. If I use the access token in my Graph API Explorer console and hit the url. https://graph.facebook.com/v2.3/me?access_token='GraphAPIToken'. I am able to get the complete friends list. If I try using the SDK or any library like fbgraph for nodejs...

Unique Entity Error message


api,symfony2,exception-handling,doctrine
I have a user entity which have some unique fields. The code bellow shows you how I defined it. /** * @UniqueEntity(fields={"login"}, message="UNIQUE ERROR MESSAGE") */ ...... /** * @var string * * @ORM\Column(name="login", type="string", length=255, unique=true) */ private $login; Developping an API, I would like to be able to...

API Integration


xml,api,curl
Im new here and Im not a programmer but learning along the way. I have come up against a problem but in your explanation (if any - thanks) dont presume that I know. Hope you can help me solve this. Here are the details: Im trying to integrate Interpire EmailMarketer...

How to compare voice command input by user to hard coded strings


java,android,api,voice
I am currently working on an app that takes user input by voice command. The program recognizes the words using the google api. I want to be able to compare the user voice input to hard coded strings. My problem is that I do not know how to code this...

Android encryption and decryption of text fails


android,security,encryption,encryption-symmetric
I try to encrypt some text (here it is named code) and decrypt it again. For this i use a 4 digit Pin which is salted. After this the text is encrypted, also again some Base64 decoding, so i can safely output the String again. As i understand i have...

Is it possible for a user to modify site javascript in browser?


javascript,security
I don't know a lot about security, but I'm trying to figure out how to keep my site as safe as possible. I understand that as much stuff that I can handle on the backend the better, but for instances where I'd like to hold some variables on the client,...

User process can't see global shared memory created by service


c++,windows,security,winapi,memory-mapped-files
I have a Windows service (running in the system process) and a desktop application that need to share a configuration structure. The data originates in the app, but the user process doesn't have permission to create a global memory object so I create it when the service starts using CreateFileMapping()...

Give port number and passed parameters in WSO2


java,api,wso2,wso2-am,api-manager
I am trying to learn WSO2 but have been stuck at a minor step which i believe should be quite easy to do. While creating a new api i need to give the production endpoint. What i want to give is the url along with the port as well. So...

REST-API Different Content-Type on Error Response


java,json,api,rest,spring-mvc
Since some weeks I'm working on an rest api using spring-mvc. The REST-API is working properly and I`m almost done until one last problem when it comes to error handling with specific error-objects. The REST-API is using JSON as format to serialize Java-Objects. When an error occurs during service-execution an...

Am I safe?? [trying to prevent sql injection] [duplicate]


php,mysql,security,laravel,pdo
This question already has an answer here: How can I prevent SQL-injection in PHP? 28 answers I was wondering if I'm safe from SQL injection if I have this in a script: < script> //some stuff var item = <?php echo json_oncode($PHPVAR) ?> item.replace(/"/,'&quot').replace(/'/,'&#39'); //do more script stuff with...

File security System in java? [on hold]


java,file,security,encryption
i'm new to java world.I have a idea about file secure system.When i add a file to the application it will encrypt and store a folder in the installation path.If i need to see the file ,i need to login with my username and password and the file will automatically...

Placing secure data in Java web application


java,security,tomcat
The question is about security in tomcat, but first consider the following example: Suppose you have apache web server. Then, under www folder, create folder named dist, and under folder dist create folder named bdf23b1c-ddd3-4d5b-8fdf-948693674011. Under this folder create some file with secure information. For example, some private picture you...