0

Im developing a little serverside api to use with a java client (which i wrote too).

The api is written with jersey (RESTful) und running on a tomcat server. The data it provides is passed to the client as Json-String and all communication is performed via Http.

I now want to ensure that only my own client programm is able to access the api (At the moment, as its http, everyone could receive the json data via an ordinary browser). Therefor, im looking for a way to "identify" my clientside programm to the api with a key or something like that. I first thought about using the user-agent for identification, but this could easily be copied. So i need some kind of key which changes dynamically or something like that.

Whats a good way to do that?

I searched in the net but didnt find a proper answer (maybe wrong keywords?), so im happy for every hint and/or link about that topic.

Edit: The client side programm is an android app. I want to make sure noone is creating a similar app and use my server for his purpose.

Improve this question
3
  • You can't do it. Anyone could make their browser look exactly like your client, as it is code running on their own computer. Commented Aug 4, 2013 at 19:16
  • The typical verbiage is "api key" as used by Facebook and other sites with app capabilities. These keys are usually of significant length. However, everything sent over http will be visible to "the internet" and thus will have no practical security value. Commented Aug 4, 2013 at 19:18
  • @abiessu api keys sounds interessting. The only problem is, as you mentioned, everyone could read one of the keays out of the http package and simply reuse it. Commented Aug 4, 2013 at 19:45

1 Answer 1

Reset to default
4

If the attacker has a the client in his possession, there's almost no security that can't eventually be compromised.

A good start, that's fairly out of box is bi-directional SSL authentication (Client and Server certificates). This is supported out of the box and requires little code changes.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.