FRAPI Security
106 views
Skip to first unread message
Becks
Aug 29, 2011, 9:52:36 AM8/29/11
to frapi-dev
Hello everyone,
I am using FRAPI in a current project at the university and so far I
like it. Everything works as it should. However, since the project is
about sensitive user data (health data) I have to secure the
communication and storage. So far I only secured communication using
HTTPS. Is there any best-practice to allow only authenticated users to
consume the web service (except for the API-Key)?
Thank you for your hints.
I am using FRAPI in a current project at the university and so far I
like it. Everything works as it should. However, since the project is
about sensitive user data (health data) I have to secure the
communication and storage. So far I only secured communication using
HTTPS. Is there any best-practice to allow only authenticated users to
consume the web service (except for the API-Key)?
Thank you for your hints.
David Coallier
Aug 29, 2011, 12:01:57 PM8/29/11
to frap...@googlegroups.com
Yep what you have to do is make the actions non-public (In the action
edit section) and add the users you want to the "Partners" section of
the administration interface. This will force everyone to use HTTP
Digest Authentication. Add this on top of SSL and you should be fine
:-)
edit section) and add the users you want to the "Partners" section of
the administration interface. This will force everyone to use HTTP
Digest Authentication. Add this on top of SSL and you should be fine
:-)
--
David Coallier
Becks
Aug 30, 2011, 8:18:06 AM8/30/11
to frapi-dev
Hi David,
thank you for the fast answer. Unfortunately it didn't solve my
problem - however I'd like to leave my solution here for others in the
future. Since users can create accounts in my application it is
impossible for me to add every single one of them to "Partners". The
user credentials are stored in an mysql database. My solution is to
use the apache module "mod_auth_mysql". I then check the user
credentials for every request - are they allowed to use the web
service? Secondly I use $_SERVER[PHP_AUTH_USER] and
$_SERVER[PHP_AUTH_PW] to check if the specified user has access to the
resource he requested.
SSL secures communication. Right now the passwords in the database are
stored plain text, this is going to be changed to crypt() soon.
On 29 Aug., 18:01, David Coallier <dav...@php.net> wrote:
> Yep what you have to do is make the actions non-public (In the action
> edit section) and add the users you want to the "Partners" section of
> the administration interface. This will force everyone to use HTTP
> Digest Authentication. Add this on top of SSL and you should be fine
> :-)
>
thank you for the fast answer. Unfortunately it didn't solve my
problem - however I'd like to leave my solution here for others in the
future. Since users can create accounts in my application it is
impossible for me to add every single one of them to "Partners". The
user credentials are stored in an mysql database. My solution is to
use the apache module "mod_auth_mysql". I then check the user
credentials for every request - are they allowed to use the web
service? Secondly I use $_SERVER[PHP_AUTH_USER] and
$_SERVER[PHP_AUTH_PW] to check if the specified user has access to the
resource he requested.
SSL secures communication. Right now the passwords in the database are
stored plain text, this is going to be changed to crypt() soon.
On 29 Aug., 18:01, David Coallier <dav...@php.net> wrote:
> Yep what you have to do is make the actions non-public (In the action
> edit section) and add the users you want to the "Partners" section of
> the administration interface. This will force everyone to use HTTP
> Digest Authentication. Add this on top of SSL and you should be fine
> :-)
>
Reply all
Reply to author
Forward
0 new messages