Here is my setup: I will create two REST services that are run on Server B and should only be called from Server A. Both servers are on the same network and I am not able to configure a firewall to enforce this. There are several clients that share the same (internal) network the servers are on. Because of this I will configure Server B to only allow incoming connections from Server A's IP address. (technical detail: this will perhaps be a Tomcat behind Apache httpd)
- REST service 1 which is located on
https://server_b/getValue?id=1234will return the value that is stored for the id1234. - REST service 2 which is located on
https://server_b/setValue?id=1234&value=foowill set a value offoofor id1234
(remarks: I know this is not REST as they teach it in the books, this is just an example ;-) And no: unfortunately I will not be able to use basic authentication or the like)
What will happen now if someone spoofes the IP address and pretends to be Server A ? When calling REST service 1 nothing will be conveyed to the forger because the answer will be send to the "real" Server A. Is this correct ?
Calling service 2 will be worse because the get method becomes effective immediately. Is this assumption correct ?
I read information about IP spoofing, for example IP forgery (theories are fine) but was not able to answer my specific questions by using that information.
Aucun commentaire:
Enregistrer un commentaire