wood burning stoves 2.0*
The moose likes Security and the fly likes REST authentication and exposing the API key Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "REST authentication and exposing the API key" Watch "REST authentication and exposing the API key" New topic
Author

REST authentication and exposing the API key

Raghvendra Pratap Singh
Greenhorn

Joined: Jul 26, 2012
Posts: 22

px; line-height: normal;">I've been reading up on REST and there are a lot of questions on SO about it, as well as on a lot of other sites and blogs. Though I've never seen this specific question asked...for some reason, I can't wrap my mind around this concept...

If I'm building a RESTful API, and I want to secure it, one of the methods I've seen is to use a security token. When I've used other APIs, there's been a token and a shared secret...makes sense. What I don't understand is, requests to a rest service operation are being made through javascript (XHR/Ajax), what is to prevent someone from sniffing that out with something simple like FireBug (or "view source" in the browser) and copying the API key, and then impersonating that person using the key and secret?
[


Thanks and Regards, Raghvendra Pratap Singh
"Quality means doing it right when no one is looking"
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

That is what SSL (aka TLS (aka HTTPS) is for. It is designed to prevent "man in the middle attacks" MITM where someone can snoop and see your passwords, api keys, etc.

However, its recently been made public that a fair number of smartphone browsers have deliberate MITM even when you use SSL. This is a disaster, because it break the architectural assumptions made when SSL was designed. Worse, its teaching consumers that it is OK to have some unknown company have the ability to snoop all of your data. Not only your passwords, but your bank and credit card account numbers, etc.

I'm always boggled by the deliberate and willful uses where vendors break what the consumers think is security.
 
Don't get me started about those stupid light bulbs.
 
subject: REST authentication and exposing the API key
 
Similar Threads
request.setAttribute in firefox
Lazy Loading
REST API Design Rulebook -security
c on ubuntu
Junit Example for POST request using Rest-Assured