Home/ Questions/Q 6560123
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T13:25:09+00:00

I’m having security issues using a REST service to access a database to log

  • 0

I’m having security issues using a REST service to access a database to log users in, I have it working but I know it can’t be like that because the password isn’t encripted in any way and travelling through the URL. This is my code:

First, the code that sends the request:

private void validateUser(String user, String pass)
{

    String URL = "http://myserviceserver/MyService.svc";

    AlertDialog popup;

    try{
        HttpGet request = new HttpGet(URL + "/Validate" + "/" + user + "/" + pass);

        request.setHeader("Accept", "application/json");
        request.setHeader("Content-type", "application/json");

        DefaultHttpClient httpClient = new DefaultHttpClient();
        HttpResponse response = httpClient.execute(request);

        HttpEntity responseEntity = response.getEntity();

        // Read response data into buffer
        char[] buffer = new char[(int)responseEntity.getContentLength()];
        InputStream stream = responseEntity.getContent();
        InputStreamReader reader = new InputStreamReader(stream);
        reader.read(buffer);
        stream.close();

        String resultado = new String(buffer);

        if(resultado.contains("true"))
        {
            popup = createAlertDialog("Message", "User Validated", "OK");
            popup.show();
        }
        else
        {
            popup = createAlertDialog("Message", "User NOT Validated", "OK");
            popup.show();
        }       


    }
    catch(Exception e)
    {

    }


}

Now, from the server side, this is my service Interface:

[ServiceContract]
public interface IMyService
{
    [OperationContract]
    [WebInvoke(Method = "GET", UriTemplate = "Create/{user}/{pass}/{email}")]
    bool CreateNewAccount(string user, string pass, string email);

    [OperationContract]
    [WebInvoke(Method = "GET", UriTemplate = "Validate/{user}/{pass}")]
    bool ValidateUser(string user, string pass);
}

Now, this works like a charm, but is as insecure as it gets, but I don’t quite understand how can I hide the sent information, because right now I’m login in by simply making a request at http://myserviceserver/MyService.svc/Validate/user/password.

Any help will be apreciated 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If what you’re worried about is man-in-the-middle attacks, I’d recommend HTTPS: certs are pretty cheap and most of those problems do go away if you use HTTPS.

    If you’re worried about leaking stuff in the server logs, well, I’d put the arguments as request parameters rather than part of the request. It looks like you’re actually USING the username/password as arguments to your server methods, so HMACs won’t entirely help you there. For the requests that are not using the parameters passed you may want to switch to a hash authentication scheme.

    • 0