Securing your RESTful web services
Web services are usually exposed to developers so that developers can create cool things consuming the API. Here, for the web service developer security is a big concern. Malicious coders may try to find any vulnerability. If some vulnerability is found your API is simply insecure.
An API which needs to bee accessed by authenticated users may require request level authentication mechanism. Passing user unique identity and password with each request is very dangerous. Instead an access token sort of thing must be used. The md5 and hash encryption is your best friend in this regard.
I assume that you have basic idea of MVC framework, and the sample code will be Yii based. We will utilize the power of OOP in Yii framework. You can download and learn Yii from here.
In my previous tutorial I put some lines on creating RESTful web services. Here, we are simply extending that code to add the security features.
Let suppose our API is for authenticated users. Each request made to the API will be processed after authentication. A user, first time, usually logs in with a username and password. When the user is authenticated we will return a hash encrypted string to be used as access token with future requests.
The code in your login action will be something like this.
public function actionLogin(){
$data = CJSON::decode(file_get_contents('php://input')); /*get the JSON body*/
/* Implement some authentication*/
/*if authenticated update the users table with the latest access token.*/
$access_token = md5($data["username"] . rand(10000, 9999999));
}
The client will get the access token that may be an Android, iPhone, web or mobile application. The client stores this access token and will pass it with every request they will make in the future.
So on each controller action execution this access token will be validated.
Here we will use the power of event handling in Yii framework.
method in base class ie "RestController"
public function beforeAction($action) {
//access tocken validation
}
//calling any action of this controller will raise the
//beforeAction of the base calass
}
An API which needs to bee accessed by authenticated users may require request level authentication mechanism. Passing user unique identity and password with each request is very dangerous. Instead an access token sort of thing must be used. The md5 and hash encryption is your best friend in this regard.
I assume that you have basic idea of MVC framework, and the sample code will be Yii based. We will utilize the power of OOP in Yii framework. You can download and learn Yii from here.
In my previous tutorial I put some lines on creating RESTful web services. Here, we are simply extending that code to add the security features.
Let suppose our API is for authenticated users. Each request made to the API will be processed after authentication. A user, first time, usually logs in with a username and password. When the user is authenticated we will return a hash encrypted string to be used as access token with future requests.
The code in your login action will be something like this.
public function actionLogin(){
$data = CJSON::decode(file_get_contents('php://input')); /*get the JSON body*/
/* Implement some authentication*/
/*if authenticated update the users table with the latest access token.*/
$access_token = md5($data["username"] . rand(10000, 9999999));
}
The client will get the access token that may be an Android, iPhone, web or mobile application. The client stores this access token and will pass it with every request they will make in the future.
So on each controller action execution this access token will be validated.
Here we will use the power of event handling in Yii framework.
Example secure method
method in base class ie "RestController"
public function beforeAction($action) {
//access tocken validation
}
API Controller:
class myAPI extends RestController {//calling any action of this controller will raise the
//beforeAction of the base calass
}
