Securing REST and JSON

Question

I want to build my web services serving JSON data utilizing RESTful architecture.

But I want my own client apps only that can request from my web services.

Basically, my web services contain sensitive data that is not for public consumption, but I wanted to build it that way so I can build many different client apps that connects to my web service.

Would appreciate any ideas for this, thanks.

Answer 1

The fact that it's RESTful or uses JSON isn't a relevant factor when it comes to securing a web service. Any web service would need to be secured in the same manner. There are a few things you should do:

1. If possible, don't host your web service on the Internet. If the web service is hosted within your company's LAN, for example, it won't be exposed to public consumption unless you specifically exposed it through your router.
2. Set up authentication and authorization rules. If you're hosting your web service inside of a Windows domain, you could simply use Windows authentication and set up rules based on Active Directory users and groups. Other options are to use HTTP authentication, client certificate authentication, or if you're developing in .NET, forms authentication.
3. Use encryption (HTTPS), especially if your web site is hosted on the Internet.

Answer 2

You just need a couple things in place to do this. First, the service client will need to authenticate against your service (over HTTPS) to make a request. Once the client is authenticated, you can return a private token which the client has to include with this token. As long as the token expires after a reasonable amount of time, and a secure algorithm is used to generate it, this should do what you want.

If you have more strict security requirements, you can follow Jakob's suggestion, or have the client start a VPN session prior to making requests.