on 10-02-2018 1:36 PM
A question regarding securitizing OData API calls in the SAPUI5 application.
In the legacy system, once a user successfully passed an authorization, it is possible to send a request with User ID and desired data directly from a client-side to OData API without any additional security check on a server side.
My concern is that any authorized user in the system can behave as a trojan, theoretically spoofing his-own User ID and performing some actions under the name of another user. As mitigation mean, there is an option to encapsulate an OData API from a client-side by introducing a server-side wrapper, which will perform a sender authentication before forwarding request to the OData API.
The question is if there are already some out-of-box approaches in SAP Fiori / SAPUI5 platform to secure the use of OData API, to ensure that the request sender can't fake a User ID and do something in a system under another name.
The user id/name/... should be determined server-side based on the provided credentials. That way spoofing is not possible.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Could you please describe the supposed attack vector in more detail?
Every HTTP request has to carry credentials that pass server-side validation, which include
Then the request is executed in the context of this user, and with the access rights of this user.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Suppose, there are two valid users — User A and User B. Both are authorised to have an access to OData API. Now, User A performs authorization, sends a request to OData API. My concerns are that the User A can open Chrome Dev Tools and fake a JSON by spoofing his name to User B prior sending it to OData API.
As the result, OData API will get a JSON, where the user name is not genuine — User B instead of User A.
The question is there any built-in security mechanism in OData API to verify that the data comes from the specific user, which is currently logged-in and appears in JSON, and not from someone else, who just has an access to OData API?
Real world example:
User can leave a comment, where his name and the content body will appear, but it is also possible to fake the value of name field and write the name of someone else instead.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.