URL Security over 2 applications
I'm currently re-engineering an application from CSP pages directly accessing COS Methods, to an Angular/Material front end accessing a REST DAL. Both the Angular front end and REST services are hosted from the same Caché instance and the same namespace, but the REST services have their own CSP application, with all calls being routed through a Dispatch class.
I've come across an architecture issue recently, and am trying to assess the options I have. At present, we encode a call to a class which takes in an OID and returns the Stream to the browser. In the current application, this request is encoded using %CSP.Page.Encrypt, which performs the encryption and decryption of the string using the %session.Key. This won't work for the new setup, since the REST service creates and destroys the session automatically, so the string can't be decrypted
My current thinking of my choices are
- Implement a rolling encryption/decryption key myself, with an appropriate rollover period
- Send the OID in the clear, but implement a tracking class which generates a key value which must be included in the request, and will be revoked once the link has been accessed
- Send the OID in the clear, and increase auditing of the requesting session
Do we have any best practices, or alternative methods to secure this sort of communication?
It sounds like somewhere in your application you have a call that returns OID values to the client, then as a separate step you wish to return the stream associated with this OID. Is it possible instead of returning the OID to the client you just return the stream directly to the client? So what is the need for the client to store the OID when it is really the stream the client wants?
Assuming there is a good reason for returning the OID you can follow this pattern.
You also need to write some code to cleanup this table and remove expired random numbers from the table periodically or it could grow over time if you generate values and the client never uses them.
Thanks for the reply, Mark
This is a web application with links to binary attachments, that are stored as streams. The streams are accessed via links on the page, and return the stream based on the OID generated (at present these are FileStreams, and the OID is pointing at the path on the FS). I'm seperately looking to move these streams into GlobalStreams, to reduce some of the complexity around the file storage.
What's a REST DAL?
Cache Fileserver is an old project of mine which allows file upload/download. Files have IDs, but to download each client get's an unique link active only for his IP for a limited time. You can remove IDs altogether.
This looks fantastic! Thank you for the info, Eduard