File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes REST authentication and exposing the API key Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "REST authentication and exposing the API key" Watch "REST authentication and exposing the API key" New topic

REST authentication and exposing the API key

Raghvendra Pratap Singh

Joined: Jul 26, 2012
Posts: 22

[size=12 ]I've been reading up on REST and there are a lot of questions on SO about it, as well as on a lot of other sites and blogs. Though I've never seen this specific question asked...for some reason, I can't wrap my mind around this concept...

If I'm building a RESTful API, and I want to secure it, one of the methods I've seen is to use a security token. When I've used other APIs, there's been a token and a shared secret...makes sense. What I don't understand is, requests to a rest service operation are being made through javascript (XHR/Ajax), what is to prevent someone from sniffing that out with something simple like FireBug (or "view source" in the browser) and copying the API key, and then impersonating that person using the key and secret?[/size][

Thanks and Regards, Raghvendra Pratap Singh
"Quality means doing it right when no one is looking"
Pat Farrell

Joined: Aug 11, 2007
Posts: 4659

That is what SSL (aka TLS (aka HTTPS) is for. It is designed to prevent "man in the middle attacks" MITM where someone can snoop and see your passwords, api keys, etc.

However, its recently been made public that a fair number of smartphone browsers have deliberate MITM even when you use SSL. This is a disaster, because it break the architectural assumptions made when SSL was designed. Worse, its teaching consumers that it is OK to have some unknown company have the ability to snoop all of your data. Not only your passwords, but your bank and credit card account numbers, etc.

I'm always boggled by the deliberate and willful uses where vendors break what the consumers think is security.
I agree. Here's the link:
subject: REST authentication and exposing the API key
jQuery in Action, 3rd edition