Loading ...
Sorry, an error occurred while loading the content.

Re: [rest-discuss] HMAC based authorization - Security for REST services

Expand Messages
  • Unmesh Joshi
    Thats useful is we are using varnish. But nothing for Apache. One reasonable way seems to be using something like noodle or j2ep and add hmac authorization
    Message 1 of 3 , Feb 8, 2013
    • 0 Attachment
      Thats useful is we are using varnish. But nothing for Apache. One reasonable way seems to be using something like noodle or j2ep and add hmac authorization code there. This also seems to be a standard pattern 'Message Interceptor Gateway' in web services security world. 


      On Fri, Feb 8, 2013 at 5:06 PM, Erlend Hamnaberg <ngarthl@...> wrote:
      Check out varnish (no affiliation), vmod-digest.


      --
      Erlend


      On Fri, Feb 8, 2013 at 7:03 AM, unmesh_joshi <unmeshjoshi@...> wrote:
       

      Hi,

      For building secure RESTful services, its common practice to have digital signature (HMAC hash) in the Authorization Header, along with the secret key id. The implementation seems fairly standard where
      1. Client adds Date: header to the request.
      2. Client builds digital signature with url path parameters and query parameters and headers.
      3. Client puts Authorization Header as
      Authorization: :

      On Server side.
      1. Server checks existence of required header.
      2. Server retrieves the private key for the secrete key id provided in the Authorization Header (Note: This can be typically done by calling a Key Management service over SSL, which is deployed in a secured network)
      3. Server computes HMAC has with the same method that client has used.
      4. Server matches the hash with the one provided by the client.
      5. If the hash matches, server forwards the request for further processing.
      6. If hashes dont match, server returns 401 UnAuthorized response to client.

      It is also a standard patterns in Web Services world to use Message Interceptor Gateway (listed in http://www.coresecuritypatterns.com/patterns.htm).
      This way security gateway is a separate tier between client and the actual web service endpoint.

      This logic is very standard and I think this can be implemented as a Apache plugin, which can intercept the request before forwarding it to Application Server.

      Is there any such standard plugin developed for Apache or any other web server?



    Your message has been successfully submitted and would be delivered to recipients shortly.