One main challenge in distributed application development is security . In older days application had front-end and backend together , used to host in same server . We used various authentication methods , like DB based user/pass verification , LDAP authentication etc .
There is a different between loosely coupled/distributed app arichitecture and old bundled app designs. That is Distributed applications use service oriented architecture (SOA) . Simply facebook /twitter has that kind of design, means they expose their application functions as services . Some of them can be public where as anyone can access , and some of them are secured and restricted with in particular app domain .
So what are the advantages here ? Flexibility and Scalability .
Since we have separately hosted functions (services) , any external party can use those functional pieces and deliver, creative end product by capturing related user requirements . Google has huge services API . How many products they have , maps / news / search etc .Imagine the scope of their services and how strong authentication mechanism they got ?
There is a different between loosely coupled/distributed app arichitecture and old bundled app designs. That is Distributed applications use service oriented architecture (SOA) . Simply facebook /twitter has that kind of design, means they expose their application functions as services . Some of them can be public where as anyone can access , and some of them are secured and restricted with in particular app domain .
So what are the advantages here ? Flexibility and Scalability .
Since we have separately hosted functions (services) , any external party can use those functional pieces and deliver, creative end product by capturing related user requirements . Google has huge services API . How many products they have , maps / news / search etc .Imagine the scope of their services and how strong authentication mechanism they got ?
That is a background .
Security is a major concern in this design. How can we make a strategy to ensure the security .Ill take REST based services api for this example. Remember old days , developing applications with session. Web Server allocates one session per each user login . Developers uses cookies to keep the relationship between client and server session. But REST is stateless . That is REST functions do not care who is accessing it . So that client app has to manage user session by app it self . No support from server .
Assume we have domain/employee resource (service). Since the services API hosted independently in some other server , many parties can access it .
Assume we have domain/employee resource (service). Since the services API hosted independently in some other server , many parties can access it .
Client A -> GET domain /Employee/1 Client B -> GET domain / Employee/ 1
But we only need our services allow to access by Client A. How can we make it ? We can pass identity with each and every request send from the client , as query string(GET request) or attached with request header ( Any request type POST/PUT/DELETE)
domain /Employee?Auth=Identity
header={
Authentication: Prefix Identity
}
Note
Identity is a token .
Concepts
- To get access to services api , user should have a valid account . Eg:- To access google maps user should have google account
- Once the user account authenticated (LDAP or Password table) ,User obtain a shared secret(between api and valid user) with the response of authentication method.
E.g.-:
POST http://domain/Public/api/v1/Authenticate
Response {Secret : "b5afcadd-0001-4a85-9feb-c17c8eb5425e}
Note
Web service stores the secret in their store with user id as key
Identifying Request Elements
- User Id - Each request token must contain the access key ID of the identity use to send the request.
- Signature - Each request token must contain a valid request signature, or the request is rejected.
Token Calculation
- Authentication = "Basic " + Token
- Signature = HMAC-SHA1(UserId , UTF-8-Encoding-Of( StringToSign ) )
- StringToSign = SharedSecret+HTTP-Verb + Content-Type +URI
- Token = base64 (userid: Signature )
Non revertible hmac-sha1 hash string not allow others to see the contents over transfer.
After receive the token from service end
Note
Web Service create a same mechanism to create the request token .
- 1. Get shared secret from store using use rid
- 2. Construct request signature using incoming request properties
- 3. Use hmac-sha1 and generates a non revertible hash string
รข€¢ Compare both string values . If matches , it allows to do operations, else return 401 unauthorized status code.
