Securing Grails REST service for use with mobile a

2019-03-27 19:04发布

问题:

I am busy doing some research into using REST services with mobile applications and would appreciate some insight. The scenario is as follows.

Consider a web application that provides a service to users. The web application will also be the main interaction point for the users. This will be done in Grails, and secured with Spring Security.

Now, we want to provide a REST service so that users can use the service via mobile applications. Since Grails has such nice support for making the existing web application RESTful, we will use the built-in Grails support for that.

My question now is, what would be the "best" way to secure the REST service interface so that it can be use from mobile applications (native- iOS, Andriod, WM7, BB).

The information exchanged are highly sensitive, so the more secure, the better.

Thanks

回答1:

We decided to split our grails project in three...

  • model-domain-project (This is the "admin" section with all the views/controller scaffolded, and all the services, domain)
  • web-app (this is the main application, controllers, views)
  • api-rest-app (this is the rest controllers)

The model-domain-project is a plugin that it's plugged in the web-app and the api-app, contains the domain model, services, and all the database security, transactions, etc.

The web-app is all the html templates, views and controllers, here we are using the attributes of Spring Security

The api-rest-app we are using grails-filters and we are using Basic-Authorization via https with a token with an expiration date...

if the expiration date of the token is reached you will have to ask for another token with a "request-token" we sent you with the first token... (it's more or less like oauth2)

To get the two first tokens, you will have to confirm the device via a login with user/phone/password then you receive a key via sms that you will have to enter in the app

Do not know if this the best way, but it's the way we do it...

Sometimes we are using the web-app as client and call the api-rest-app...