Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best practice in securing user creation for a REST API

Tags:

rest

security

authentication

spring

I'm currently working on a iphone/android project where the mobile talk ta java backend server through REST API calls.

The Java backend is done using Spring and its Authentication system (with a JSESSION ID token)

I'm not an expert in security but I can see that if not implemented correctly there could be quite a lot of issues.

One of my biggest concern would be user creation for example. When the app creates a user it simply makes a POST request to (url.com/rest/create)

How can I avoid, server side, that a malicious user puts this url in a loop and create thousands of users ?

What are common best practices to secure API calls ? Is the Spring Authentication token enough ?

Thank you!

like image 514
Johny19 Avatar asked Oct 17 '25 20:10

Johny19

2 Answers

It's not really possible to prevent a client from making many calls to your server. A malicious user can create a script or application firing requests to your server.

The solution is to authenticate and authorize the calls to the server. You give certain users (for example administrators) the privilege to create users. You trust those users to behave in a correct manner. You have your users authenticate before they call the APIs on your server. Then, on the server side your check who the user is and what he/she is allowed to do.

If you are still concerned about privileged users not behaving, you can assign quota to each user on the actions they are allowed to perform.

like image 116
MvdD Avatar answered Oct 20 '25 11:10

MvdD

The hightech solution (with as much framework fuctions as possible) would be

  • first: have a created-by and created-date field at the entity you want to protect (I recommend to use Spring-Data-JPA Auditing for that).
  • second: create a custom spring method (or web) expression method that is able to check how many items the current user has created in the (for example) last 10minutes and if this are more then (for examle) 20, then return false (or make them parameters of the method).

Then you can protect your method (or url) with that expression (@PreAuthorize("createsNotExeced(10, 20)"))

But this is the high tech solution - it would be quite intresstion implementing them when one wants to learn spring security. (and you would need to add some caching, but this is also a Spring feature).

The lowtech solution would be: put an list of timestamp in the users session, and add an new item to that array whenever the user creates an new item. When the last (for example) 20 timestamp enties are within the last (for example) 10 minutes, then throw an TooMuchHeavyUseRuntimeException or somthing else.

like image 31
Ralph Avatar answered Oct 20 '25 09:10

Ralph
Sign in to Comment

Related questions

Can Spring-EL expressions be executed within a sandbox?
How do I Get memberOf attribute from ldap DirContextOperations

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!