File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes Secure the Web Service API calls Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "Secure the Web Service API calls" Watch "Secure the Web Service API calls" New topic
Author

Secure the Web Service API calls

Sam Saha
Ranch Hand

Joined: Jan 23, 2010
Posts: 104
I have an application. When we login to that application using userID and password it is successfully login to the application. Now in the front end of that application there are ajax calls which are calling Web-services API calls to retrieve the data. Now these Web-services APIs are not secured, means if you call that APIs from a browser anybody can see the data. But I want to secure the Web-service APIs so that only authorized users who can logon to that application can only call the web-service APIs. I am very new to this security and no idea how to secure the APIs. I would appreciate if someone can help how to implement security for these API calls. The Front end is written by php and backend is java.
J Dirksen
Author
Greenhorn

Joined: Sep 04, 2012
Posts: 13
What kind of web services are you talking about? Are it webservices in the traditional sense with XML and SOAP or do you use a RESTful approach.

The most basic approach for both scenarios is using basic authentication on the HTTP request, this will allow you to at least restrict access to authorized users.

You talk about "anybody can see the data", what are you looking for; a way to restrict access to your API or a way to encrypt the data?
Sam Saha
Ranch Hand

Joined: Jan 23, 2010
Posts: 104
I am new to this application. I am very new to web services as well.They are using using Restful services. When I say anybody can see the data means only the user who can successfully login to the application can only call the API and can access the data. Otherwise not. If you can give a design/implementation steps how to implement to handle that I can go through the steps and can implement that. Thank you very much.
J Dirksen
Author
Greenhorn

Joined: Sep 04, 2012
Posts: 13
If you only want to expose this API to a logged in user the easiest way to do this is by adding basic/digest HTTP authentication to the rest call. There are many examples / steps how to do this. The basic steps are outlined in this stackoverflow post:

http://stackoverflow.com/questions/8073193/secure-access-to-authenticated-rest-server-through-backbone-js
Sam Saha
Ranch Hand

Joined: Jan 23, 2010
Posts: 104
I am looking for a solution solve this issue below.

We have an application whose front end is written by php and backend is written by java. Front end server is apache and backend server is tomcat. Now user can logon to the application using their userid and password. In the front end Ajax is calling the API to retrieve the data. Now the API is not secured. Means from a browser if you call the API they will return you the data. So now the issue is if someone else create the frontend somehow and call that API they can also retrieve the same data, which is not secured.

So I have have secure the API somehow so that only the person who can successfully login to the application using userID and password can only call the API and retrive the data. Otherwise not.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Secure the Web Service API calls