Professional Documents
Culture Documents
API Assignment 2
API Assignment 2
net/publication/363266925
CITATIONS READS
0 155
1 author:
Torben Jackisch
6 PUBLICATIONS 0 CITATIONS
SEE PROFILE
All content following this page was uploaded by Torben Jackisch on 04 September 2022.
Abstract—This report deals with the development of a web See figure 1 for an illustration of LTCCs communication
API for a fashion company with a focus on the points of model between the internal systems and the applications of
authentication, authorisation, requests, encryption, which API distributors and suppliers.
type is suitable and its testing. In order to answer the
individual questions, various sources were consulted, which II. ASSUMPTIONS
primarily deal with the points of architecture, security and
As the API acts as a gateway to LTCCs internal systems,
communication in the area of APIs. These are, on the one hand,
various scientific studies and, on the other hand, technical
it should be seen as a highly critical implementation of the
documentation on corresponding standards. The most infrastructure.
important results of the work are that certain patterns emerge Authentication service attacks can happen on different
that can be found in many sources. This is especially true with layers. It could be possible to read user and password
regard to architecture and security. Above all, the results information while the communications between the hosts
indicate that a clear solution is possible for the fashion
during a session. The authentication service can also be
company and that a functioning and relatively secure solution
misused for attacks like XSS and execution of other
can be realised with the appropriate standards.
malicious code [1 p3]. Another common threat is an API
Keywords—API, security, authorisation, authentication, exhaustion attack which is a type of denial of service (DOS).
encryption That DOS attack will prevent the system from processing
legitimate requests [1 p4].
I. SCENARIO To prevent threats like the described ones, different
The scenario describes the requirements for an security measures on different layers are necessary, which
application programming interface (API) for the LATEST will be discussed in this paper.
TRENDS CLOTHING COMPANY (LTCC) with a focus on
threats and prevention with security measures for the III. AUTHENTICATION
different stages of communication between the involved Before an authorisation can be granted, the application
systems. The API shall provide different functionality, such user need to authenticate at the API authorisation server with
as manage current stock levels, generate orders and send given username and password and proves his/her identity to
them to suppliers, receive bulk orders from distributors and allow the API to communicate with the application [12].
receive individual orders from distributors customers LTCCs internal user management can use an LDAP solution
(including customer delivery details). The API will handle like OpenLDAP [7] for the authentication of outside users.
the communication between LTCCs internal systems and the The communication need to be secured by SSL/TLS [11] and
applications (or client, but in this paper it is only called a strong password protection [8 p5]. An additional protection
application) of distributors and suppliers. can be the usage of a public key infrastructure using a
common x.509 standard [9] (e.g. RSA, FCC, etc.) [8 p5].
IV. AUTHORISATION
After the authentication of the user, the application is
allowed to communicate with the API and the API
authorisation server will share an authorisation token with
the application for a secure communication. This
authorisation token will be used to request an access token
from the API authorisation server. This access token will be
used by the application to access resources (e.g. data) from
the API resource server, which will crosscheck that access
token with the API authorisation server. If this crosscheck is
successful and the access token is valid, the API resource
server should check the request for malicious characters and
sanitise the code before sending the request to the internal
systems [12].
See figure 2 for a mapping of the oauth authorisation
process with reference to LTCC.