We currently have a J2EE system implementing most of the OWASP top 10 security measures, the application at the moment allows users to log on with a user/password combination which is stored in the database.
I have a java filter mapped to /* to check for session and session attribute presence to determine a user’s logged in state.
Ok, finally here is the problem: We are integrating with a company that manufactures devices to send a URL request via GPRS when a certain event occurs, this URL is a link to our system.
I would (without compromising security) like to authenticate this ‘device’, it is not possible to send the device any information, so a single request needs to be authenticated an no one should be able to ‘replay’ that URL
I do not know if this is possible without some sort of mutual authentication. I thought about a white-list of IP addresses to check against, but the networks constantly change IP’s and the device is still ‘unidentified’. Please advise any ideas?
PS: my temporary solution was to add a exception to my filter, but this is not long term and totally insecure. (SSL is also not an option)
You could let the device sign the request (including a unique request identifier) with a private key. Then, the server can check if the signature is valid and only accept/answer the request when it is.
The request ID can be used to ensure that such requests are not replayed. Using a simple counter for the request ID would mean that it’s very easy to check if a given identifier has already been used (i.e. if the request is being replayed).