Home
>
WinDev Forum
>
Topic
[WD21] Clientcertificate in database
Posted by ChristineWagner
|
[WD21] Clientcertificate in database October 02, 2018 09:59AM |
Registered: 5 years ago Posts: 2 |
We will have a rest service (implemented from a third party but installed in a tomcat/apache we are configuring), which has to be secured as good as possible.
I'd like to admister each company (which is using the new feature) an own client-certificate. Ideally I'd like to load it into the software/database without them getting this certificate in their hands ever. So they can start our software over the network or directly on the pc (where it is installed) and (after checking their user rights) we load the certificate and access the rest service with it.
Now I'm not very good with this certificate functionality. But with WinDev I would call HTTPCertificate() before making the HTTPRequest. This will only work with an installed Client-Certificate, will it?
Does someone has an idea for a workaround so I do not have to install the certificate on each laptop? I don't want them to be able to access this rest service from a browser.
Thanks for your ideas!
Christine Wagner
I'd like to admister each company (which is using the new feature) an own client-certificate. Ideally I'd like to load it into the software/database without them getting this certificate in their hands ever. So they can start our software over the network or directly on the pc (where it is installed) and (after checking their user rights) we load the certificate and access the rest service with it.
Now I'm not very good with this certificate functionality. But with WinDev I would call HTTPCertificate() before making the HTTPRequest. This will only work with an installed Client-Certificate, will it?
Does someone has an idea for a workaround so I do not have to install the certificate on each laptop? I don't want them to be able to access this rest service from a browser.
Thanks for your ideas!
Christine Wagner
|
Re: [WD21] Clientcertificate in database October 02, 2018 01:12PM |
Registered: 5 years ago Posts: 74 |
Hi Christine
why do you want to use certificates?
Logically, the web service should have an authentication system built in (user+password or, in webservice lingo, ID+Secret key)
If that is the case, and it should, you just have to store these IDs inside your application DB (encrypted) of course, for each user/PC allowed to access the web service and pass the appropriate information during the first call in order to obtain a token for each subsequent call
Best regards
Fabrice Harari
International WinDev, WebDev and WinDev mobile Consulting
Free Video Courses, free WXShowroom.com, open source WXReplication, open
source WXEDM.
More information on [www.fabriceharari.com]
why do you want to use certificates?
Logically, the web service should have an authentication system built in (user+password or, in webservice lingo, ID+Secret key)
If that is the case, and it should, you just have to store these IDs inside your application DB (encrypted) of course, for each user/PC allowed to access the web service and pass the appropriate information during the first call in order to obtain a token for each subsequent call
Best regards
Fabrice Harari
International WinDev, WebDev and WinDev mobile Consulting
Free Video Courses, free WXShowroom.com, open source WXReplication, open
source WXEDM.
More information on [www.fabriceharari.com]
|
Re: [WD21] Clientcertificate in database October 04, 2018 10:06AM |
Registered: 5 years ago Posts: 2 |
Hi Fabrice,
I had to ask back the details. We have two cases:
The first one (and most important one) is not yet finished. It may be that we will get a secret key for each partner, which we can use in the authentification process with the REST interface. Unfortunately it may also be (I really hope I can persuade them, that this is to be done from there software, but one cannot be sure), that we have to make this authentication system ourselves and give their REST service only the official and public known ID.
If I have to authenticate the user myself, I would have to implement an own webservice with authentification and forwarding of each request to their system (which will then only be reachable locally). Or (that was the idea to my question above) I store (encrypted) a client certificate in the database of the partner - without giving him any chance to change this client certificate and the public known ID himself. So I can be sure, that he is entitled in using the service as long as he can connect to the apache with his client certificate.
The second usecase we have is an older one and not very important in the moment: We have to access a REST service, where we did get a client certificate and this has to be correct. We really have to install this certificate an each laptop, where it is needed. Fortunately there are only one or two users per partner, which are allowed to use this interface. So it isn't yet a big issue.
Best regards
Christine Wagner
I had to ask back the details. We have two cases:
The first one (and most important one) is not yet finished. It may be that we will get a secret key for each partner, which we can use in the authentification process with the REST interface. Unfortunately it may also be (I really hope I can persuade them, that this is to be done from there software, but one cannot be sure), that we have to make this authentication system ourselves and give their REST service only the official and public known ID.
If I have to authenticate the user myself, I would have to implement an own webservice with authentification and forwarding of each request to their system (which will then only be reachable locally). Or (that was the idea to my question above) I store (encrypted) a client certificate in the database of the partner - without giving him any chance to change this client certificate and the public known ID himself. So I can be sure, that he is entitled in using the service as long as he can connect to the apache with his client certificate.
The second usecase we have is an older one and not very important in the moment: We have to access a REST service, where we did get a client certificate and this has to be correct. We really have to install this certificate an each laptop, where it is needed. Fortunately there are only one or two users per partner, which are allowed to use this interface. So it isn't yet a big issue.
Best regards
Christine Wagner
|
Re: [WD21] Clientcertificate in database October 04, 2018 12:05PM |
Registered: 5 years ago Posts: 74 |
Hi Christine,
if you need to authorize access to this webservice from your application, and your application ONLY...
WHY would you want to use certificates?
Your application should know who is logged where
Your application should ALSO know who is authorized to use the web service
So you check that (and no need of certificate for that) and your application does access the webservice or not using any kind of authentication provided by the webservice creators...
Now, if the webservice itself is NOT protected at all, then the only way you can protect access to it is by never showing it (its URL, I mean) and that is easily done by using httprequest from inside your application...
Of course, in such a case, a simple wireshark session will show the URL in question, so everything is really in the hands of the webservice creators.
I'm very surprised that this aspect has not be defined before anything else...
Best regards
Fabrice Harari
International WinDev, WebDev and WinDev mobile Consulting
Free Video Courses, free WXShowroom.com, open source WXReplication, open
source WXEDM.
More information on [www.fabriceharari.com]
if you need to authorize access to this webservice from your application, and your application ONLY...
WHY would you want to use certificates?
Your application should know who is logged where
Your application should ALSO know who is authorized to use the web service
So you check that (and no need of certificate for that) and your application does access the webservice or not using any kind of authentication provided by the webservice creators...
Now, if the webservice itself is NOT protected at all, then the only way you can protect access to it is by never showing it (its URL, I mean) and that is easily done by using httprequest from inside your application...
Of course, in such a case, a simple wireshark session will show the URL in question, so everything is really in the hands of the webservice creators.
I'm very surprised that this aspect has not be defined before anything else...
Best regards
Fabrice Harari
International WinDev, WebDev and WinDev mobile Consulting
Free Video Courses, free WXShowroom.com, open source WXReplication, open
source WXEDM.
More information on [www.fabriceharari.com]