json webservice security

Question

I have a problem regarding json web service security. I tried to developed a sample web application using json webservice,but the problem is the url was exposed on the client side.So from there,anybody can make a program and call the service for a thousand times. Please take note, that the web service will be using for a registration page, in which checks if the user was exist on the database.So there is no authentication happened on this process.

What are the approach to secure the calling of the exposed web service?

Answer 1

There is no 100% defence. Anyway somebody can make a program and use your service. You just can make programmer work harder.

The main thing you can do is to make a delay before returning result and limit the connection count from one ip. Also you can put something like session id (that expires in 5-10 minutes) on your registration page that must exists in your service request.

Answer 2

This is what I would do:

1. Put an authentication layer between the web service and the outside world (i.e. instead of making your webservice a public interface, make the authentication layer the public API).

2. Get the authenication layer to then call the webservice on behalf of the caller.

This way, you can get to implement business logic at the authentication layer - e.g. simply refuse a caller who is attempting a DOS attack, or calling form an untrusted IP address etc, etc.

Also your API is internal, so no one can get to call it (you can implement further logic in the webservice to ensure that it only handles requests from localhost.

This is the configuration I would use. generally, its not a good idea to expose an API to the public, unless you want people to call it and possibly abuse it from time to time.

Answer 3

You can filter the requests by caller IP. If an IP calls your API for, say 100 times in a minute, it's abuse and you block the following connections from it. Remember to unblock IPs from time to time to respect dynamic IPs.