0

Im developing a little serverside api to use with a java client (which i wrote too).

The api is written with jersey (RESTful) und running on a tomcat server. The data it provides is passed to the client as Json-String and all communication is performed via Http.

I now want to ensure that only my own client programm is able to access the api (At the moment, as its http, everyone could receive the json data via an ordinary browser). Therefor, im looking for a way to "identify" my clientside programm to the api with a key or something like that. I first thought about using the user-agent for identification, but this could easily be copied. So i need some kind of key which changes dynamically or something like that.

Whats a good way to do that?

I searched in the net but didnt find a proper answer (maybe wrong keywords?), so im happy for every hint and/or link about that topic.


Edit: The client side programm is an android app. I want to make sure noone is creating a similar app and use my server for his purpose.

4

1 回答 1

4

如果攻击者拥有客户端,则几乎没有最终无法破坏的安全性。

一个好的开始,这是相当开箱即用的是双向 SSL 身份验证(客户端和服务器证书)。这是开箱即用的支持,几乎不需要更改代码。

于 2013-08-04T19:27:41.003 回答