Public Facing Web Service Security - Internal Requests

StackOverflow https://stackoverflow.com/questions/17735594

Pregunta

I have a public facing web service that has a token based security system. Log in is accomplished by providing a username & password and a unique token is returned that is used going forward whenever the service is called.

My question is this: Is there a secure way to differentiate between a call coming from outside our internal network and a call coming from within? I would like to provide elevated privileges to clients that are calling the service from within our internal network. Specifically we have a website running on the same network as our webservices and I would like to give the website elevated privileges when calling our service.

Is there a secure way to do this when the web service is public facing? What I don't want to happen is that someone from outside our internal network to somehow get access to elevated privileges.

The services were implemented using Java and the CXF framework.

¿Fue útil?

Solución

Definitely possible, here's how I would suggest doing it.

Have an reverse proxy that sits between your application and the external clients. This reverse proxy would authenticate the token and the set required privileges in the request header.

Elevating privileges for internal clients can be done by following approaches

  1. Set an authenticate header in the requests on the reverse proxy. IF this header is set to true, it signals that the call is from an external client. The app can decide if needs to authorize based on this header. Internal clients can call this service without having to go through any authentication/authorization. Note that this would complete eliminate any auth for internal clients.

  2. Have rules on the RP that can set additional headers containing elevated privileges based on the IP of callers. Internal clients IP can be made into a list for which this applies.

  3. Have two endpoints for internal and external clients with revers proxies on both of them. The internal would set elevated privileges in the request headers.

Otros consejos

You have options, I can think of at least 2 approaches immediately. 1) Also require an API key to access your webservices, and special-case the access provided to the website based on its key. 2) Elevate privs based on IP address of the requestor (website, or internal network).

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top