So I have a Spring Application with a React project. Im doing some test and I have requests that envole url parameters. For example:
http://localhost:8080/rest/user/{user email}
Now I dont want to make these emails public so i thought about either encoding them into base64 or just encrypt them using AES or something of the sort. Doing it in react is quite simple, but can I do it with Spring? I mean short of running every url parameter through a decrypt function?
Something like a filter that basically decrypts the url or something like that?
Related
How does one add or implement NTLMv1 Authentication in Quarkus? I need it so that I can use the quarkus rest client to read and write to Sharepoint folders using their Rest APIs.
See https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service?tabs=csom
Basically need to be able to authenticate and get the form digest value which expires every x seconds. After which I can include that in the header of the requests.
I don't think there is an out of the box solution.
If I understand the problem correctly, the easiest way to implement this is probably either using #ClientHeaderParam or ClientRequestFilter, that you register on your client with #Register(MyFilter.class).
Either way, you need to write some code to obtain the token and refresh it when it expires yourself.
I'm trying to implement Spring OAuth2 in my Spring REST application. What I have already achieved:
Generate a token while logging in.
Store this token on the client side, use it for every request I do from UI.
What I want to achieve:
1. Encrypt the token stored on the client side & send this encrypted token instead of sending the actual token.
Are there any services available in the Spring OAuth2 project to achieve this?
Any ideas/suggestions?
Thanks
As I know oauth2 servers and clients usually run in SSH channels, if you use SSH there is no need to encrypt theme.
Secondly access_token is stored in a cookie on client side. if you want to encrypt it you must consider which your oauth2 server should be able to decrypt it too!
Thirdly your scenario is already have been implemented by JWT!
take a look at :
https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2
I am using Restful api in CodeIgniter. Now I want to give api to third party, so I want to secure that api I am using digest, when I hit the api
in the browser a pop up comes which ask about username and password.
So I want to ask how to pass username and password in url to that it works.
Thank you in advance and sorry for the bad English
This doesn't directly answer you question but it does provide an alternative.
In my experience with API's you secure them with a HMAC. This is basically a hash that is generated using some data unique to the request, a timestamp and a private key. This hash along with the data used to create it will be passed to your API - NOT the private key - this data can all be sent in the headers of the request. When your API gets this data is uses the unique data, the timestamp and the private key to create another hash. The hash from the header and the newly created one are then compared. If they match you can be sure that the same private key was used to generate them. This saves sending any usernames/passwords over the internet.
I would also recommend that your server is setup to only serve HTTPS, this will help prevent man in the middle attacks.
This is a library that I have written for this very purpose.
https://packagist.org/packages/mardy-git/hmac
I hope this helps.
I wrote a web server with a spring boot, which returns json, depending on the query. I wonder how can I protect my server to json reimbursed only for specific addresses or applications. So that a regular user of the browser could not get the data.
The easiest way:
Use extra parameter like ?api_key=39802830831bed188884e193d8465226 and compare if the provided value matches one of the allowed values in database.
For security concerns you should use https.
I'm developing a REST JSON API with the Spring MVC Framework. I want to serve a single HTML application to the user and the whole communication between server and client is done with JSON format. So the client single HTML application uses jQuery to send AJAX calls to the server.
My big problem is to find the right way to do integrate a proper security technique. I read a lot about basic, digest or form based authentication via Spring Security, but I don't think this is the right way. I want to get JSON responses if the user isn't logged in and I don't want to send a jsessionid with each request.
Could you please tell me the right way or the best-practice how to authenticate user by performing AJAX requests? Maybe it's OAuth 2-legged? (don't have much clue of OAuth)
If you don't want to store auth information in server-side session (and use JSESSIONID in cookies/urls) you may send auth info with every ajax request using BASIC auth header (created in JS).
I've never used 2-legged oauth, so I won't comment about it.
edit: typo