I am creating a public REST application for clients to access. In an attempt to develop a security system for this, I looked at how AWS handles their REST verification using an access key and a secret key to sign the message before sending it to the AWS server. So I coded an example with Jersey, JSP and javascript (jsonp) for testing, and it seems to work fine.
1.) When the page is loaded, the JSP takes the clientβs access key and date / time (converted to EPOCH) and writes it to the page. He also takes these two pieces of information and combines them with the client's unique secret key through HMAC-SHA1.
2.) When I execute an ajax jQuery request, I pass all three pieces of information.
- user access key
- date / time (EPOCH)
- signed message
3.) On the Jersey side, I take the access key and date / time and check the database for the user's secret key. Then I execute my own signature HMAC-SHA1 and compare it with the signed message from the user sent message. If they match, then let them use our web service. I also check the date / time and only accept messages signed in the last 15 minutes.
My question is: is this enough enough?
source
share