Spring - best way to secure get request - spring

I wrote a web server with a spring boot, which returns json, depending on the query. I wonder how can I protect my server to json reimbursed only for specific addresses or applications. So that a regular user of the browser could not get the data.

The easiest way:
Use extra parameter like ?api_key=39802830831bed188884e193d8465226 and compare if the provided value matches one of the allowed values in database.
For security concerns you should use https.

Related

NTLMv1 authentication support for Quarkus

How does one add or implement NTLMv1 Authentication in Quarkus? I need it so that I can use the quarkus rest client to read and write to Sharepoint folders using their Rest APIs.
See https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service?tabs=csom
Basically need to be able to authenticate and get the form digest value which expires every x seconds. After which I can include that in the header of the requests.
I don't think there is an out of the box solution.
If I understand the problem correctly, the easiest way to implement this is probably either using #ClientHeaderParam or ClientRequestFilter, that you register on your client with #Register(MyFilter.class).
Either way, you need to write some code to obtain the token and refresh it when it expires yourself.

How to access Request Specific Data in Go?

I have an API written in go and I am using the gin-gonic framework to implement my endpoints. I am following clean architecture for my project which means that my entire application is divided into multiple layers namely - Controller, Service, Repository, And Session. The endpoints are secured by auth0 and the validation is carried out in a gin middleware. In the middleware I can extract the Subject from the JWT (Set in the header)
Now, here's my question. I want to use this subject value in my queries. I was wondering if I can store the Subject (sub) in the context and use it in other parts of my code WITHOUT PASSING CONTEXT AROUND. Is this possible? Or do I simply have to update all my functions and add a new parameter "Sub" to all downstream calls?
I am alluding to using a Global Variable of sorts to access Request Specific Data (SUB from the JWT token). I know it's a bad practice- I am just wondering if there is any other way to accomplish this other than passing around request specific data? Any help is appreciated.
It is really the whole point of the context - it exists to hold these kinds of things and to be passed around the chain. It's important because you want to keep it scoped to the request -- if you start using globals you could run into issues where you get contention because multiple requests are messing with the same data. Likewise if the token was invalidated between requests.
If your authentication middleware runs before your query (which it sounds like it does) then it should be simply a matter of having it put the subject in the context in a way you're happy with.

Where does Spring Security stores my session data by default?

I'm currently trying to implemente some basic security structure to my Spring Boot project, but I can't find an really concrete answer to what is going on in the authentication process. Basically, I just followed this tutorial:
https://leaks.wanari.com/2017/11/28/how-to-make-custom-usernamepasswordauthenticationfilter-with-spring-security
An it seems to be using the default Spring Security protocols and stuff, i really only implemented a custom filter where my code checks MongoDB for an existing user, and the thing works as expected.
The thing is, Postman tells me that whenever I do a successful login I receive a JSESSIONID cookie, and this cookie is used on get requests, for example. If there is a SESSION ID, I assume that Spring somehow knows how to map ID to users, but how? I haven't set up any DB configuration for that, and Spring seems to store that state somewhere. How can I access it, or change to a DB on which access I have control of?
if you want to save sessions to database, you can add org.springframework.session:spring-session-jdbc dependencty. You can choose sql file from here for your database and create tables.

How can I hide API secret key when sending AJAX requests?

I am about to start working on a project, which is basically a web interface for a mobile banking application. The API is ready, I only need to provide the frontend part of the web application. I was going to make it using Backbone/Angular/Ember, but started to worry about the security.
Particularly, the following. As a rule, every API request must contain a parameter method_code, which is calculated as hash of user token, method name and secret API key. If I put the logic of how this param is calculated into one of .js files, anyone could potentially access some sensitive data using tools like Postman or even browser console. How should I go about this issue? I could have a server-side script generating the method_code for me, but is it possible to make it accessible only to my web app's requests?
every API request must contain a parameter method_code, which is calculated as hash of user token, method name and secret API key
I could have a server-side script generating the method_code for me, but is it possible to make it accessible only to my web app's requests?
Yes, the server-side script would be the way to go if you do not want to expose the secret API key within your client side code or request data.
User token can (presumably) come from the user's session cookie value? So simply have a server side method that takes the method name and then returns the method_code calculated from the secret API key (kept server side only) and the user token.
The Same Origin Policy will prevent another domain making a request to your API and retreiving the method_code. I'm also assuming the API and front-end code runs on the same domain here, although if this is not the case you can use CORS to allow your front-end code to read and retreive data client-side via the API.
You can try to generate a token based on security factors and encrypt that and use it in your requests to identify your clients and valid requests.

Can requests via Ajax to make direct db queries ever be made secure?

Suppose you would format your urls so that you could make direct model queries with a request using Ajax.
Making a query in Django:
MyModel.objects.get(id=4)
Making a query via request to url using Ajax:
/ajax/my-model/get/id/4/
The problem is that this presents a huge security problem, any user that knows how to make requests via Ajax could query the database by recognising that the url corresponds to a query of a specific model. However, if these kind of queries could be made secure, it would allow for much more well structured/reuseable client side code imo.
But I simply don't see how this can be made secure. I just want to make sure if this suspicion is correct.
Never trust input from the client. I think this is a very general rule in web development and applies to any request the client does. I think you have a couple options here:
use Django's internal Authorization mechanism. This is not authentication! Like this you can limit resources to be accessed to specific users only. Also look into reusable django apps, which seem to take some complexity out of that topic.
validate every input from the client. This is mostly for requests which are supposed to change data).
use an API framework like django-tastypie or django-restframework, which are easily plugable with your models and offer authentication and authorization out of the box.
In Django, such views will be protected by its authentication mechanism. It is possible to design the view so it will only allow specific users to query specific queries.

Resources