I need to do several server 2 server calls to bing maps rest services, so I would like to obtain a session key using the api key, so I can save on billable calls.
I found samples on how to obtain the session key using ajax sdk or wpf map control, but nothing using directly the rest api making http calls.
Is it possibile to obtaing the session key in this scenario?
Session keys are only available when using the REST services with one of the interactive map controls. Sessions are an incentive provided to use the interactive Bing Maps controls in a visual application. Sessions cannot be used in server 2 server communications or backend processes.
Related
I need to get the coordinates from the browser and get the address of those coordinates. For that I can use the Bing Maps Location api (https://dev.virtualearth.net/REST/v1/Locations/*long*,*lat*?c=fi&o=json&key=*myapikey*).
How secret should I keep this key?
When embedding Bing Maps you also need a key that would be seen in the browser. Not sure how that key compares to the Locations api.
Should I create a separate key for those calls?
Can I do the api calls from javascript which would expose the key?
The alternative being that the frontend does a backend call with the coordinates and the backend is calling the Maps api.
Generally speaking you should keep your key private as anyone who gets the key can make transactions which would be billed to you. In practice this has not been a huge issue and it's easy to block a key and get a new one if this occurs. If you want to be more secure, keeping the key server-side and routing your client calls through the server will protect it. You can also generate a session key from your API key on the server when the page is first rendered and send that to the client. A session key works like a normal key, but has a short expiration time, so there's no danger of it leaking and being used by someone else.
I know how to implement token based security via OAUTH to protect the access of an api. I also know ho to use HTTPClient to call an api.
But when I search/google how to use OAUTH calling a web api from a web api all it shows me is how to implement token based security for an web api (which I already have).
In my scenario I have an UI calling web api 1. After that I have to do some server to server communication: web api 1 calls web api 2 and web api 2 calls web api 3. Web Api 3 does something & returns to web api 2 which then does something based on success or failure, then returns to web api 1 (which does something) returning back to the UI.
(The reason for that intended implementation is storing (different) data in 3 different databases where I currently do not want (and later maybe not be allowed to) grant web api 1 direct access to them.
I am just unclear how I would manage the tokens (I don't want to request them every time, so I guess I will need some kind of service handling that and keeping them).
Any hint I could get the authorization (token handling) done?
I do have some data stored in my Real-Time Firebase database. I am willing to expose some of this data via a REST API to my B2B customers.
I know that Firebase is itself a REST API but its authentication mechanisms don't fit my needs. I am willing my customers to access the API with a simple API Key passed in the HTTP request headers.
To summarize, I need an API layer sitting on top of my Firebase real-time database with the following properties:
Basic Authentication via an API key passed in the HTTP request headers
Some custom logic that makes sure customers respect the API limits (maximum requests per day for example)
The only thing I can think of is implementing this layer in AWS lambda but that also sounds a bit off. From the lambda, I would have to access my Firebase database and serve that data. That seems too many network requests; something native to Firebase would be great.
Thanks,
Guven.
Why not have a simple API which provides them an Oauth token for the original firebase REST API if they have the correct Api Key
It'll be more secure as only you'll be able to make the tokens as only you'll have the service account private key. Also saves you the headache of making a whole REST API. Also the Oauth tokens expire relatively quickly so it's less of a risk than a normal key that you furnish
I personally have created my own Servlets where a user posts their data if they are authenticated using an id pass combo.
In the Servlets i use the default REST API provided by Firebase with the Oauth generated in my servlet. This way, i can have the DB security rules set to false for all writes from any client api. And the REST API and their admin sdk on my server ignore the security rules by default.
After some research, I have decided that AWS is the best platform such API related features.
Gateway API lets you setup your API interface in a matter of seconds
DynamoDB stores your API data; you can easily populate the data here
AWS Lambda lets you write the integration code between Gateway API and DynamoDB
On top of these, the platform offers these features out of the box:
Creation & handling and verification of API keys for authentication
Usage plans to make sure that API consumers don't exceed your API usage limits
Most of what I was looking for is offered in these AWS services.
Usually to get the session id key to use with Bing Map request instead of the Bing Maps Key, we would use one of the available control ( Bing Maps AJAX Control 7.0, Bing Maps Silverlight Control, Bing Maps WPF Control, and Bing Maps for Windows Store apps) to request a session id depending on the situation.
Since the app we are currently working with was developed with Unity (the game engine) and use the REST imagery api from Bing Map to request tile data and display them, every request for map tile is counted as a billable transaction since there is no session id because there is no control available.
We would like to reduce the amount of billable transaction the app receive every time the user browse the map and the only way to do so is to have a session id key.
Is there a way other than with the default control provided to obtain a session id key?
It is technically possible but not authorize in the terms of use since the session key mechanism is only to be used with the provided map controls among those offered by the platform (AJAX, SL, WPF and WinStore app controls).
MSDN reference:
See the MSDN for more information:
https://msdn.microsoft.com/en-us/library/ff859477.aspx
With quoted useful information:
This transaction is not billable if the service request is made using a session ID from an AJAX Control, Silverlight Control, WPF Control, Windows Store app for JavaScript, or Windows Store app for C#, C++, or Visual Basic session.
Terms of use:
And see the Terms of Use regarding the session information, article 4.9.b:
https://www.microsoft.com/maps/product/terms.html
Regular use, best practices and samples:
For any other regular and authorized use cases, see the blog post that explains how to optimize the calls and transactions:
http://blogs.bing.com/maps/2013/02/14/bing-maps-rest-service-tips-tricks/
I have few basic questions on session management in GWTP.
Client : GWTP, Server - Restful WebServices using Guice and Jersey.
Application session management is straightforward when i have the backend service with RPC mechanism. But, With GWT client running on android and server side logic exposed as Restful Web services using Jersey, how do we maintain session because Restful WS are stateless. Now how do we achieve user session in this case?
Regarding session management there is no difference whether you use GWT's RPC, RequestFactory or RequestBuilder.
Communication in the web is basically stateless regardless of the communication protocol you are using.
Traditionally session management is done via server side sessions.
However RESTfull services are not supposed to rely on server side sessions as it violates restful principle.
So basically there are two ways to do it:
If you don't care much about violating the restful principles you can deploy server side sessions (see here for more details).
use OAuth (https://wikis.oracle.com/display/Jersey/OAuth)
somehow pass the credentials/securityToken for every request to your backend. You can probably do that by using GWTP's ClientActionHandlers.
After going throught lot of comments from different people, here what I have thought of doing.
My application can be accessed from Browser based app and Mobile devices as well. Application was written the http session management in server at first for browser based app. Now while getting Mobile client, we have implemented Rest web services, with same service layer for mobile device and browser client as well.
When user logs in with mobile device, we are creating a unique auth token and we store the http session with this token ID as key, value map in app. Later on we expect every user request from mobile device to return this token, and using this token get the session from map and continue.
Does anybody has any opinion on this approach?