URL Security over 2 applications

I'm currently re-engineering an application from CSP pages directly accessing COS Methods, to an Angular/Material front end accessing a REST DAL.  Both the Angular front end and REST services are hosted from the same Caché instance and the same namespace, but the REST services have their own CSP application, with all calls being routed through a Dispatch class.  

I've come across an architecture issue recently, and am trying to assess the options I have.  At present, we encode a call to a class which takes in an OID and returns the Stream to the browser.  In the current application, this request is encoded using %CSP.Page.Encrypt, which performs the encryption and decryption of the string using the %session.Key.  This won't work for the new setup, since the REST service creates and destroys the session automatically, so the string can't be decrypted

My current thinking of my choices are

  1. Implement a rolling encryption/decryption key myself, with an appropriate rollover period
  2. Send the OID in the clear, but implement a tracking class which generates a key value which must be included in the request, and will be revoked once the link has been accessed
  3. Send the OID in the clear, and increase auditing of the requesting session

Do we have any best practices, or alternative methods to secure this sort of communication?

  • 0
  • 0
  • 259
  • 3
  • 2

Answers

It sounds like somewhere in your application you have a call that returns OID values to the client, then as a separate step you wish to return the stream associated with this OID. Is it possible instead of returning the OID to the client you just return the stream directly to the client? So what is the need for the client to store the OID when it is really the stream the client wants?

Assuming there is a good reason for returning the OID you can follow this pattern.

  • Server gets request where it would previously return the OID
  • Server generates a new random number using $system.Encryption.GenCryptRand to generate a random number
  • Server stores this random number in a table against the OID it wishes to associate it with and a timetstamp
  • Server sends the random number to the client
  • Client at some point wishes to get the stream so it sends the random number to the server
  • Server looks up the random number in the table and finds the OID and serves up this stream if the request is within some time period of the random number being generated. Then it deletes the random number from the table.

You also need to write some code to cleanup this table and remove expired random numbers from the table periodically or it could grow over time if you generate values and the client never uses them.

 

Thanks for the reply, Mark

This is a web application with links to binary attachments, that are stored as streams.  The streams are accessed via links on the page, and return the stream based on the OID generated (at present these are FileStreams, and the OID is pointing at the path on the FS).   I'm seperately looking to move these streams into GlobalStreams, to reduce some of the complexity around the file storage.

Cache Fileserver is an old project of mine which allows file upload/download. Files have IDs, but to download each client get's an unique link active only for his IP for a limited time. You can remove IDs altogether.

This looks fantastic!  Thank you for the info, Eduard

Comments