Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>You could always require the client to authenticate, using <a href="http://www.aswinanand.com/2009/01/http-basic-authentication-using-ajax/" rel="nofollow">HTTP Basic Auth</a> or some custom scheme. If your client requires the user to login, you can at least restrict the general public from obtaining the <code>www.companyA.com/services/service1.ashx</code> URL, since they will need to login to find out about it.</p> <p>It gets harder if you are also trying to protect the URL from unintended use by people who legitimately have access to the official client. You could try changing the service password at regular intervals, and updating the client along with it. That way a refresh of the client in-browser would pull the new password, but anyone who built custom code would be out of date. Of course, a really determined user could just write code to rip the password from the client JS programmatically when it changes, but you would at least protect against casual infringers.</p> <p>With regard to the URL token idea you mentioned in update 2, it could work something like this. Imagine every month, the <code>www.companyA.com/services/service1.ashx</code> URL requires a new token to work, e.g. <code>www.companyA.com/services/service1.ashx?token=January</code>. Once it's February, 'January' will stop working. The server will have to know to only accept current month, and client will have to know to send a token (determined at the time the client web page loads from the server in the browser)</p> <p>(All pseudo-code since I don't know C# and which JS framework you will use)</p> <p>Server-side code: </p> <pre><code>if (request.urlVars.token == Date.now.month) then render "This is the real data: [2,5,3,5,3]" else render "401 Unauthorized" </code></pre> <p>Client code (dynamic version served by your service) www.companyA.com/client/myajaxcode.js.asp</p> <pre><code>var dataUrl = 'www.companyA.com/services/service1.ashx?token=' + &lt;%= Date.now.month %&gt; // below is JS code that does ajax call using dataUrl ... </code></pre> <p>So now we have service code that will only accept the current month as a token, and client code that when you refresh in the browser gets the latest token (set dynamically as current month). Since this scheme is really predictable and could be hacked, the remaining step is to salted hash the token so no one can guess what it is going to be . </p> <pre><code>if (request.urlVars.token == mySaltedHashMethod(Date.now.month)) then </code></pre> <p>and</p> <pre><code>var dataUrl = 'www.companyA.com/services/service1.ashx?token=' + &lt;%= mySaltedHashMethod(Date.now.month) %&gt; </code></pre> <p>Which would leave you with a URL like <code>www.companyA.com/services/service1.ashx?token=gy4dc8dgf3f</code> and would change tokens every month.</p> <p>You would probably want to expire faster than every month as well, which you could do my using epoch hour instead of month.</p> <p>I'd be interested to see if someone out there has solved this with some kind of encrypted client code!</p>
    singulars
    1. This table or related slice is empty.
    1. POProtecting my REST service, which I will use on the client side, from others to use
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USJosh Diehl
    1. USJosh Diehl
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POProtecting my REST service, which I will use on the client side, from others to use
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. COI have only read the first paragraph so far and I would like say that no, company a's users will browse the web site with anonymous access
      singulars
      1. PO
      1. UStugberk
    2. COcan you have a look at my update 2 on the question?
      singulars
      1. PO
      1. UStugberk
    3. COYour update 2 (using a custom token in url) is the same concept as 'changing the password' I mentioned above, i.e. providing a moving target for those that would use the service without permission. In this case, you'd have to expire the token after some time, since a url your JS calls is easily discoverable. Your official client would have to get the updates of the new token when it changes. The weak spot here is if someone writes code to hack your client code, since it's javascript and therefore is open for inspection. Encrypting the relevant JS code somehow would provide obfuscation.
      singulars
      1. PO
      1. USJosh Diehl
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload