I have a RESTful webservice which communicates over HTTPS. I want to prevent other developers from calling the API. The API sits in front of a database which pulls data from a number of sources so i want to have control over who uses it. Using a login page is not an option
I’ve looked at Spring-security and OAuth however neither offers exactly what I need. I don’t want to place a login page in front of the web service instead I just want to return a 400 or 401 http code when an unknown application attempts to call my service.
Can anyone recommend how i can implement this?
Outcome Thanks for feedback on this question. In the end i resorted to using an Apache module called mod_authz_host which allows you to restrict HTTP patterns to specific domains. While it is possible to spoof the domain this was for an internal app so the security requirement is more relaxed. I’ve includes a snippet below with details of how to use the Apache module
Include the following inside a Virtual host
<Location /yourProtectedServices/ws>
Order deny,allow
Deny from all
Allow from trusteddomain.com
</Location>
In your internal system you can create a list of Applications that have access with access tokens. Only developers/client apps with these authorised access tokens will then have access. The catch on this is if the client app source code is viewable by others.
E.g. if someone created an Android Application with the access token in the code it could be reverse engineered when it is distributed in the app store.
Update:
For a more in depth view regarding security.
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/