How do I secure my REST api developed in playframework
You might find this Securing Single Page Apps and REST Services article by James Ward useful, it's built using Play Framework, Java, jQuery, and CoffeeScript.
The reference source is here: https://github.com/jamesward/play-rest-security/
Jim
Updated on June 14, 2022Comments
-
Jim almost 2 years
I have read a lot about this on here and other articles. First let me explain my situation.
Let's say I have the following REST backend:
GET /user
returns all users in JSON. (No need to be logged-in)
POST /user
registers new user. (No need to be logged-in)
DELETE /user
deletes a user. (You do need to be logged-in)POST /login
posts login credentials and returns a 200 OK on succesful authentication. Also this creates asession
with theusername
.DELETE /login
logout, this deletes the session.For user authentication and roles I use Deadbolt-2 so for example when
DELETE /user
is called first thesession
will be viewed to determine whether you are logged-in and then theusername
is used to determine if you have the correct permissions.This works. My question is not about this kind of authorization/authentication. It is however about the following:
I want to secure the "public" API calls like:
GET /user
in a way so only front-end applications that are approved by me can access them.I have read a lot about api-keys and HMAC and oAuth. But it seems to me they are talking about the first scenario and not the second. So how would I go about this in my situation ?
Thank you for your time.
-
Jim almost 11 yearsI found this about 2 hours ago by myself actually. This in combination with Carsten's comment is really helping me.