B4J Question Check incoming JSON

Discussion in 'B4J Questions' started by udg, Apr 18, 2019.

  1. udg

    udg Expert Licensed User

    Hi all,

    I'd like to setup a single entry point for a partner in order to let him access a few services.
    My server is build around B4J's jServer and I already added a Server Handler to my running code.
    Everything works fine as long as the incoming "query" comforms to what's expected, but how can I protect the service against a malformed query?

    I mean, I expect as input a JSON string following a simple construct (which specifies, among other things, the wanted service and its parameters).
    Should I put everything in a try/catch section?
    I'd like to catch problems such as:
    - the input string is not a JSON string
    - the input string is in JSON format but follows a scheme not allowed/expected (e.g. a map instead of a list)
    - no string sent to the entry point
    So, what I like to achieve is kind of a syntactic check. Once that's ok I would proceed to check eaach field for allowable values.

    Other measures I'm evaluating are the frequency I should change the auth token, the number of enquiries accepted in a defined time frame. Can you suggest other key points to keep the service run as safe as possible? TIA

    udg
     
  2. Marcus Araujo

    Marcus Araujo Member Licensed User

    Hi,

    I too believe a try-catch is very handy for this situation.

    After the authentication, how are you handling the requests and making sure the message was not tampered and came from the original source? For that it's nice to have the message signed with a token only the server and the client knows. JWT (JSON web token) is quite good.
     
    udg likes this.
  3. udg

    udg Expert Licensed User

    Hi Marcus,
    thank you for your reply. I didn't know about JWT, so I was considering my own solution. Now that I know a standard exists, why not adopting it?
    I'm considering to dedicate a firewall port to those very few selected partners allowed to use the service. All of them will operate on fixed IPs so it should be easy to restrict the operation of that port only to them. This because I want to avoid DoS and similar attacks to the server.

    So the genearl scheme could be:
    1. restrict access to the service
    2. check syntax validity of the JSON input parameter
    3. verify the token
    4. verify the payload
    5. send back appropriate response

    Am I missing something?
     
  4. Marcus Araujo

    Marcus Araujo Member Licensed User

    If you need an extra layer of security, it's good to use a secure protocol, such as HTTPS.

    For the rest I can't think of anything else now.
     
  5. udg

    udg Expert Licensed User

    Sure, once everything is setup correctly I'll switch to SSL. That one is needed even for my own RDC-like protocol

    Thank you for your hints
     
    Marcus Araujo likes this.
  6. Harris

    Harris Well-Known Member Licensed User

    Hope you will have a better experience applying SSL than I did... It is a simple process for Apache (my VPS provider support did for me).
    Java jetty (with ABM) was my issue. My tutorial on this matter is just about done - once I figure out where the "private key" actually came from...
     
  7. udg

    udg Expert Licensed User

    I read with great interest your (dis)adventures about SSL. Hope my Let's encrypt certificate along with my CentOS 7 VPS would cooperate better. I guess I will start with an old tutorial I found on the forum time ago, unless your document arrives before I have to start (it will take some time, so no pressure on you ehehe).
     
    Last edited: Apr 19, 2019
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice