API Design Guidelines
299 views
Skip to first unread message
priiya
May 1, 2013, 4:58:56 AM5/1/13
to api-...@googlegroups.com
Hi,
I am designing a Library management system.
It has 2 parts, a GUI and a Restful Service.
Users interact with GUI to perform available operations (i.e search, reserve books).
And GUI interacts with the restful service for CRUD operations.
There could be other 3rd party clients which can interact with the Restful service.
I am struck at imposing security. And I need help for the following:
1: Preventing one user from looking other user's reserved/ordered books.
2: Shall I treat my GUI also as a third party client? Please provide strategies or best practices.
3: How to prevent intruders from modifying the request parameters. Like person in middle attack.
Looking forward to hear a reply. Thanks in advance.
Priya
I am designing a Library management system.
It has 2 parts, a GUI and a Restful Service.
Users interact with GUI to perform available operations (i.e search, reserve books).
And GUI interacts with the restful service for CRUD operations.
There could be other 3rd party clients which can interact with the Restful service.
I am struck at imposing security. And I need help for the following:
1: Preventing one user from looking other user's reserved/ordered books.
2: Shall I treat my GUI also as a third party client? Please provide strategies or best practices.
3: How to prevent intruders from modifying the request parameters. Like person in middle attack.
Looking forward to hear a reply. Thanks in advance.
Priya
Brian Fending
May 1, 2013, 9:09:50 AM5/1/13
to api-...@googlegroups.com
Hi, Priya. There's a lot of depth to your inquiry, so please pardon the injustice I am about to do with my short reply.
1. Check out how oclc/worldcat does this, if not as an example, to understand what the rest of the library industry is doing in this regard. http://oclc.org/developer/webservices
2. Absolutely. Eat your own dog food, IMO.
3. Your security considerations for the platform will transcend API architecture. But to the breadth your question, it might be really useful to read this article (and read all of the many links!) to get some pro/con lists http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/ Despite the tone of the article, there's a lot there to guide you in addition to what the rest of the group here will more specifically contribute.
(Told you it would be short.)
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
snow6oy
May 14, 2013, 4:14:49 AM5/14/13
to api-...@googlegroups.com
Hi Priva,
It sounds like you are thinking about application security (the GUI) and user security separately. This is good! Keep doing that :-)
I would restrict application "security" to simple identification; information gathering about service usage etc.
For user-level security there are frameworks such as CAS http://www.jasig.org/cas or Forgerock http://forgerock.com/ that may be helpful.
Reply all
Reply to author
Forward
0 new messages