codedecoder

breaking into the unknown…

passing parameter with post method in REST

6 Comments

While making API call, you should avoid passing sensitive information like username, password, social security number etc in the url as anyone can easily read them. The safer way is to make call as post method and pass needed parameter in body. I find this security hole in one of my own code but rectified it before anyone can misuse it.

Below, is the code, which generate authentication token from Openam, which support SSO for my application. Authentication token is needed to perform all task like user creation, deletion etc on Openam. So any person who can get hold of my username and password can getback the authorization token also and hack in Openam

require 'rest_client'
 module Openam
 class Client

   attr_writer :base_url, :username, :password

   def initialize(base_url, username, password)
      @base_url = base_url
      @username = username
      @password = password
   end

   def generate_authorization_token
     uri = "#{@base_url}/authenticate?username=#{@username}&password=#{@password}"
     admin_authorization_token = RestClient.post(uri, 
                                          :content_type => "application/xml")
     admin_authorization_token.slice!(9..-1).strip
   end
  end
end

I have modified, the above generate_authorization_token method to use post method and pass parameter in body instead of url

def generate_authorization_token
   uri = "#{@base_url}/authenticate" # url to which request is made
   payload = {:username=>@username,:password=>@password} # hash containing 
                                                       username and password
   admin_authorization_token = RestClient.post(uri, payload, 
                            :content_type => "x-www-form-url-encoded")
   admin_authorization_token.slice!(9..-1).strip # this step will remove unwanted 
                                           charecter from the token
end

The main point here is the use of  “x-www-form-url-encoded” as content type which tell REST that url parameter is present in the Body and passing username and password parameter as hash in the payload

Advertisements

Author: arunyadav4u

over 7 years experience in web development with Ruby on Rails.Involved in all stage of development lifecycle : requirement gathering, planing, coding, deployment & Knowledge transfer. I can adept to any situation, mixup very easily with people & can be a great friend.

6 thoughts on “passing parameter with post method in REST

  1. Does your blog have a contact page? I’m having problems locating it but, I’d like to send you
    an email. I’ve got some creative ideas for your blog you might be interested in hearing. Either way, great blog and I look forward to seeing it expand over time.

  2. You can find my contact details on the About page link above

  3. You can certainly see your enthusiasm within the work you
    write. The arena hopes for even more passionate writers like you
    who aren’t afraid to say how they believe.
    Always follow your heart.

  4. Oh my goodness! Awesome article dude! Thanks, However I am having issues with your RSS.
    I don’t understand the reason why I cannot join it. Is there anyone else getting identical RSS problems?
    Anybody who knows the answer can you kindly respond?
    Thanks!!

  5. Hi there I am so thrilled I found your webpage, I really found you by accident, while I was searching on Digg for something else, Nonetheless I am here now and would
    just like to say cheers for a marvelous post and a all round interesting blog (I also love the theme/design),
    I don’t have time to look over it all at the minute but I have bookmarked it and also
    included your RSS feeds, so when I have time I will be
    back to read a great deal more, Please do keep up the great b.

  6. It’s hard to come by knowledgeable people for this topic,
    however, you sound like you know what you’re talking about!
    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s