Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
Is CSRF protection really expected to be present in a REST based application?
I know it is required for web applications where JSPs are served from the server end. But I am developing a Spring Boot enabled REST service that will be consumed by Angular/Bootstrap front ends. The authentication mechanism is JWT based.
Can anybody explain what kind of CSRF attacks I can expect since I haven't use Spring's CSRF protection mechanism in backend REST services?
Since a REST application is supposed to be stateless, you can't implement traditional CSRF protection (which involves storing a token on the client and the server and then matching them).
However, you can still be vulnerable to CSRF attacks if you use a mechanism to pass credentials that is automatically persisted by the browser (such as cookies or HTTP Basic Auth).
You should avoid using such methods for authentication when writing a REST service and use something else (e.g. a custom HTTP request header).
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
So RESTful APIs are stateless wherein the server does not store any state about the client session on the server side.
And consistent hashing in load balancing is used to associate a client with a server, ie, all requests from a given client will be directed to a given server only (amongst a group of servers) because that server has some data stored in it about that client.
So, if our server uses RESTful APIs then is there no need for consistent hashing while load balancing?
Not necessarily. While RESTful APIs are stateless, your server isn't. Server-side caching doesn't violate the constraints of REST. If a server is able to keep information from a client in its cache, it could make a significant difference if future requests are made to that server instead of to another one which may need to perform more work to retrieve the client's data.
It is very situational, however, so I can't speak to your specific server setup!
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
I need to test SAML federation for a web application that is protected by an in-house SSO solution that can federate in SAML.
For testing purposes, I generally provision a Windows Server 2012 R2 server and configure ADDS and ADFS on it and then create a relying party trust to our web application's SSO solution (our SSO solution has a ACS URL which I use here)
Now, is there a SaaS based IDP that allows me to quickly configure a user store and SAML federation with my application. I just need to test the simple use case of user authenticating with his IDP credentials and the SAML assertion being posted to my ACS url.
I know there are many SaaS IDP solutions but need to know which one provides the simplest and least resistant path for my use case.
Any suggestions are appreciated.
There are a number and you want one that is quick to use, good documentation and (hopefully) free.
I have used Azure AD, Auth0 and Okta for this kind of thing.
Sadly, SAML configuration is never easy!
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I have an html5 webapp that fetches data using jquery from rest java api. I have two questions:
How can I encrypt data on server and decrypt it locally with different key for each user. Where can I store this key in client side? Does it needed, or it is just enough to secure the rest service call with some authentication method?
Is there any standard way to prevent other rest clients (except browsers) to hit this rest api?
use HTTPS
Use authentication so you know who is hitting it - oauth, client certificates, session token - but there's nothing you can really do to prevent anything other than a browser accessing it. You could make it harder by rapidly recycling the authentication token using javascript (but this will break in horrible ways if the user opens more than one window).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 months ago.
Improve this question
I have implemented REST API using PHP. This API access to MySQL Database.
I was looking for hosting services but I'm not sure where to start, majority of this type of services is referring to Web Hosting, which as I understand is not what I need.
Can anyone suggest any free or cheap service that will support my requirements?
I also need the possibility to schedule service which will periodically access REST API. This one is not implemented yet, because I'm not sure what kind of languages/frameworks are usually supported by the hosting service.
Any help is truly appreciated.
I think that a regular web hosting account would actually work just fine for what you need. If you think about it, the only difference between your RESTful API and any other website is that your API does not return HTML, but rather returns data that is encoded to be consumed by another program instead of a human user directly. From a hosting perspective, though... there really is no difference. There are lots of companies that provide PHP/MySQL hosting out there - for example, Dreamhost. Lots and lots of options.
Do you need the database itself hosted or just the PHP? If the latter, most any web host with PHP will do what you desire. If the former, you'll need a database host as well as a web host.
As long as the hosting provider supports HTTP requests like DELETE,PUT,etc and you are using them in your REST application/service then you are good to go. So just ask for a confirmation about this.
If you need php + MySQL hosting then go for web hosting
And for shedule service you can use cron jobs
In cron job u can select an php script and interval of running it automatically
It will automatically execute after given interval of time
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
What are your recommendations for a basic, centralized identity management/SSO service? It must be open source, have a pluggable identity manager (eg: LDAP, DB, openID, etc.) and provide a decent range of API access options (eg: web services, REST, etc.). It must also be clusterable for high availability.
JOSSO? CAS? others?
There are a number of open source SSO solutions, OpenAM/OpenSSO, CAS Server and Shibboleth.
Dont forguet simpleSAMLphp if you looking for SAML support or HybridAuth if you just looking for a SSO library.
WSO2 as described here. It's absolutely free, Java based and integrates with most of services / apps via various protocols or APIs.