I'm creating a simple web service in PHP to serve data to some of our internal applications.
My question is around authentication/security, the implementation of the actual web service isn't a problem.
For security, I'm planning on providing each application that will be consuming the service with a unique, periodically static authentication code that they use when call into the service. The service code then checks an internal list to see if the authentication code being used is a valid one, and provides access to the data if it is.
E.g.
xxx.xxx.com/ws.php?op=getproductnameslist&authcode=329cj32x21xdd332
The service is being served over HTTPS, so transmission of the actual data should be encrypted.
I'd like some comments on the above in terms security concerns, and if there is a better way to do this.
Securing a WebService is not as simple as passing a get parameter through the URL. Get parameters are logged on HTTP server logs and easily copy/pasted and manipulated.
WebService security is not a simple problem, try to use well know solutions, I would go with OAuth. PHP has a good implementation here http://php.net/manual/es/book.oauth.php
You can also check this post about Web Services security http://www.stormpath.com/blog/secure-your-rest-api-right-way
Related
I'm having troubles to figure out how web services handle requests and send responses, and how my site/module will handle it. So these are my questions and bellow a little about why i am asking this:
What is the right way to send a request to web service?
How a web-service will usually answer a site requesting?
How a PHP site can send a request to a web-service? Is cURL the right way?
I'm a student who are learning PHP and a lot of other things, and my job now is create a Joomla Module to show information from a web service (probably created in java or something, probably created by me, when i learn java...).
I know i will use http requests to talk with the web service, but i worry im using it wrong (making a request to the url, like the browser).
So, i did a little example site and a example API. The api uses Slim microframework to create routes, access my database and return the content in json (what means: if i access 'api.com/api/something' in my browser i see a plain white page with a lot of json). I pretend this is my web service.
The example site send a request to the API with cURL, reads the content and decode the json and do things. It seems forced to me.
I have not much support to understand web services and if i am in the right way (or far from this).
I would appreciate your help.
You are on the right track. A web service is simply a processing or storage facility intended to be accessed by some other program just like a database or fileserver service.
What is the right way to send a request to a web service
It depends. The most common implementations use SOAP or REST which define additional semantics on top of the HTTP protocol. SOAP uses a single URL as a gateway to the service and more specific selection of the functionality and the relevant data is embedded within an XML payload presented via POST. HTTP is merely a bearer for the message exchange. In REST, the HTTP part is integrated into the semantics of the transaction.
The URL identifies the location of the data (or processing function)
The payload contains only data, usually presented as POSTed JSON or XML,
further REST uses the HTTP verb (GET, POST, PUT, DELETE) to indicate the requested action
the HTTP headers are used to convey transaction meta-data.
How a web service will usually answer a request
I'm not sure what you are asking here. It should report back on the state of the request, any relevant error messages and possibly some data.
The speciifics would be unique to the API and documented.
Is cURL the right way?
While it is possible to do a lot with the HTTP wrappers functionality in PHP, libcurl offers an lot more flexibility. So, yes this it would be hard to implement a REST client without using cURL, OTOH a SOAP client is (usually) less complex at the HTTP tier but life is a lot simpler if you use a SOAP library/framework to abstract the more complex protocol.
For future questions please have one question per entry.
What is the right way to send a request to web service?
That really depends on the web service, what they require. It can be as simple as a short text string, to sending a XML formatted or JSON formatted array. You need to research the relevant web service.
How a web-service will usually answer a site requesting?
Again it depends on the web service. They are not the same. A web service will have documentation on what it expects and how it will respond.
How a PHP site can send a request to a web-service? Is cURL the right way?
Curl is a good method and is usually the method used from within PHP.
I built an application in an objective c that performs user registration into DataBase (MYSQL) using PHP with METHOD - GET.
Is there any way for me to know if the received parameters came through the app and not via computer or manually?
I mean, anyone can discover the address of the server running the PHP code and embed
some manually parameters as: reg.php?name=someuser&pass=password.
If your application has some kind of secret token and you use HTTPS with certificate validation then it's less likely to be a problem.
Remember that the contents of your application can be read by the user if they're determined, and the contents of your API calls can be intercepted and examined with a proxy application if you're not careful to validate the SSL endpoint against known-good certificates.
Normally registrations are sent via POST, not GET.
You can either transmit the secret directly, as a sort of proof that you're using the Objective-C application, or to make it harder to discover, then by signing your request using something like SHA256 where that secret is a salt.
The short answer is that yes, this is a security vulnerability.
Resolving this security vulnerability via $_POST Method
If you were to use the $_POST method instead, name and pass would be passed in the document's headers; going undetected in the URL. Then your web application could test for the presence of these variables, which would allow you to reject users who try to access the script from outside of your Obj-C app.
Better yet, also include a security token or hash parameter in the $_POST method, and test for the presence of that in your web application. On top of this, don't forget to clean your input before you allow it to touch your database, as an extra safety precaution.
Fixing further security issues & vulnerabilities
The web application might use HTTPS.
Should check for the presence of other environment variables to indicate if the client is accessing your website from the Obj-C environment.
I am looking to build an API that I can deploy on my servers to monitor system load.
It will report to a central manager server that runs a client to display the information.
The issue I am struggling with is best to secure the API.
What I want is for the client to be the only software that can access the server and retrieve this information but I am unsure how to achieve this using PHP.
I also want the possibility of distributing the API and client for others to use on their servers so I don't want people to be able to access other people data if they are using the API also.
The client is also written in PHP using MySql and has a secure login.
This sounds like you're trying to solve the wrong problem.
I also want the possibility of distributing the API and client for others to use on their servers so I don't want people to be able to access other people data if they are using the API also.
The only right answer to this is authentication. You need to protect your API by giving each user access credentials known only to them.
Your API must never reveal any data that the client isn't allowed to see as per their authentication credentials. Trying to work around this danger by trying to somehow protect the client from prying eyes is not safe - somebody who has access to the client and can observe it running will be able to reverse engineer any traffic between it and the server given enough effort.
If the API is properly secured, it won't matter to you which client tool is used to access it. The requirement to limit API access to a certain program will go away.
if you use SSL, along with authentication (i use 3rd party auth google, fb, etc), create data /reports on the fly and have the data saved in a subdirectory OUTSIDE your web folder (instead of /var/www, /var/myStorage/currentSessionId/), then you basically guarantee the security that you want.
your php will only access a subdir that is named for the session it is running under.
I am a complete newbie in this topic so please excuse me for my ignorance. Our company has a PHP based REST service created for consumption by an iPhone app. We make several POST calls to the REST API: www.mywebsite.com/api/rest and we send the method name and the parameters to the service. The service in turn returns a XML response which is GZip encoded. This is working fine.
I am assigned with a task to secure these call so that data that is getting passed to the service is not in plain text/is not visible using tools like Charles Proxy and other sniffing tools. In the past I have used some iPhone apps which also makes REST calls but they don't show up in such tools. I would like to know how to implement such a thing in a normal PHP based REST service so the data getting transmitted is not visible/ can be made secure.
I thought about using HTTPS but if we use HTTPS, I hear from others that the service/server will become slow and I am not too sure if the iPhone client will accept HTTPS calls.
Please advice.
Thanks in advance,
Senthil
It sounds like you're trying to secure the transport layer, and assuming that's the case then SSL/TLS is surely the way to go. Yes, chances are there will be some performance impact, but the security is probably worth it.
I'm working on developing a native android application to retrieve data for a user from my company's website.
Because the data is specific to the user, I need to authenticate with our web server, but I'm unsure of the best way to go about this. I've been reading about REST/SOAP/HTML form auth, but I can't really find any definite 'this is how its done' anywhere. I know mobile apps do this kind of thing all the time - just look at facebook/skype/any email app - you have to login before you can do anything.
My question is - how should I architect the server side code (php) to easily allow me to authenticate a user from my android device?
I'm fairly new to the 'web service' arena - does this fall into that category? Are there any tutorials you guys would recommend looking at?
Thanks!
While I haven't developed for Android, I can suggest that you simply rely on some stateless authentication scheme, such as HTTP Basic or Digest. This means that the credentials will be passed with each and every request, and you avoid having to keep track of state, which means you can keep your API nice and RESTful.
I suspect if I were writing an android app, in most cases, I'd probably first try to get communication working with something at-least-vaguely RESTful, using HTTP Basic auth, and JSON encoding (just because PHP makes (de)serializing JSON so easy).
Of course, depending on your problem domain, that might not be ideal, but it's a good architecture to try first, because it's pretty easy all-around. If it fails you, you can go back and start swapping parts out, until you find the right architecture.
Some mobile apps use OAuth to authenticate with a web server, such as twitter has. This may not be exactly what you're looking for, but none-the-less here's an example: You would log in to web service and authenticate the mobile app (which would have requested access) to be able to utilize your data on web service, like an access key (actually called a token) with which the mobile app then utilizes to communicate with the web service on your behalf; the token could be then passed as part of the url. You'll still likely want to consider SSL or some level of encryption.
This post may also be of help for you