B4J Question Check incoming JSON

[udg]

Hi all,

I'd like to setup a single entry point for a partner in order to let him access a few services.
My server is build around B4J's jServer and I already added a Server Handler to my running code.
Everything works fine as long as the incoming "query" comforms to what's expected, but how can I protect the service against a malformed query?

I mean, I expect as input a JSON string following a simple construct (which specifies, among other things, the wanted service and its parameters).
Should I put everything in a try/catch section?
I'd like to catch problems such as:
- the input string is not a JSON string
- the input string is in JSON format but follows a scheme not allowed/expected (e.g. a map instead of a list)
- no string sent to the entry point
So, what I like to achieve is kind of a syntactic check. Once that's ok I would proceed to check eaach field for allowable values.

Other measures I'm evaluating are the frequency I should change the auth token, the number of enquiries accepted in a defined time frame. Can you suggest other key points to keep the service run as safe as possible? TIA

udg

 

[Marcus Araujo]

Hi,

I too believe a try-catch is very handy for this situation.

After the authentication, how are you handling the requests and making sure the message was not tampered and came from the original source? For that it's nice to have the message signed with a token only the server and the client knows. JWT (JSON web token) is quite good.

 

[udg]

Hi Marcus,
thank you for your reply. I didn't know about JWT, so I was considering my own solution. Now that I know a standard exists, why not adopting it?
I'm considering to dedicate a firewall port to those very few selected partners allowed to use the service. All of them will operate on fixed IPs so it should be easy to restrict the operation of that port only to them. This because I want to avoid DoS and similar attacks to the server.

So the genearl scheme could be:
1. restrict access to the service
2. check syntax validity of the JSON input parameter
3. verify the token
4. verify the payload
5. send back appropriate response

Am I missing something?

 

[Marcus Araujo]

If you need an extra layer of security, it's good to use a secure protocol, such as HTTPS.

For the rest I can't think of anything else now.

 

[udg]

Sure, once everything is setup correctly I'll switch to SSL. That one is needed even for my own RDC-like protocol

Thank you for your hints

 

[Harris]

Sure, once everything is setup correctly I'll switch to SSL. That one is needed even for my own RDC-like protocol

Thank you for your hints

Hope you will have a better experience applying SSL than I did... It is a simple process for Apache (my VPS provider support did for me).
Java jetty (with ABM) was my issue. My tutorial on this matter is just about done - once I figure out where the "private key" actually came from...

 

[udg]

I read with great interest your (dis)adventures about SSL. Hope my Let's encrypt certificate along with my CentOS 7 VPS would cooperate better. I guess I will start with an old tutorial I found on the forum time ago, unless your document arrives before I have to start (it will take some time, so no pressure on you ehehe).