Secure framework for invoking server-side APIs using AJAX
First Claim
1. A method for securely invoking a server-side Application Programming Interface (API), the method comprising:
- receiving, from a client-side component of a Web application, a request to invoke an API hosted on a server;
wherein the request is generated by a client device executing instructions written in a scripting language, the executed instructions displaying a visual presentation for a user on the client device; and
asynchronously sending the request to invoke the API hosted on the server;
in response to receiving the request to invoke the API hosted on the server, invoking a security handler hosted on the server, the security handler configured to process the request in a manner that mitigates a plurality of different types of security attacks;
wherein the plurality of different types of security attacks includes at least replay attacks, and the security handler is configured to prevent a replay attack;
invoking the API on the server; and
sending a response comprising output data generated by the API to the client-side component;
wherein receipt of the response causes only a portion of the visual presentation corresponding to changed data to be updated without refreshing the entire display.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for securely invoking a server-side API from client-side Web application code using AJAX. In one set of embodiments, a request to invoke a server-side API is received from a client-side component of a Web application, where the request is sent asynchronously using AJAX. One or more security handlers are then invoked to process the request in a manner that mitigates various security attacks. In one embodiment, a security handler is invoked to defend against a plurality of different types of Web application/AJAX security attacks. In another embodiment, authentication and authorization security handlers are invoked to authenticate a user of the Web application that originated the request and determine whether the user is authorized to call the server-side API. In yet another embodiment, configuration is implemented at the data storage tier to enforce user-access and data security on data that is retrieved/stored as a result of invoking the server-side API.
-
Citations
22 Claims
-
1. A method for securely invoking a server-side Application Programming Interface (API), the method comprising:
-
receiving, from a client-side component of a Web application, a request to invoke an API hosted on a server; wherein the request is generated by a client device executing instructions written in a scripting language, the executed instructions displaying a visual presentation for a user on the client device; and
asynchronously sending the request to invoke the API hosted on the server;in response to receiving the request to invoke the API hosted on the server, invoking a security handler hosted on the server, the security handler configured to process the request in a manner that mitigates a plurality of different types of security attacks; wherein the plurality of different types of security attacks includes at least replay attacks, and the security handler is configured to prevent a replay attack; invoking the API on the server; and sending a response comprising output data generated by the API to the client-side component; wherein receipt of the response causes only a portion of the visual presentation corresponding to changed data to be updated without refreshing the entire display. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A server system comprising:
-
a storage component configured to store code for an Application Programming Interface (API); and a processing component in communication with the storage component, wherein the processing component is configured to; receive, from a client-side component of a Web application, a request to invoke the API, wherein the request is generated by a client device executing instructions written in a scripting language, the executed instructions displaying a visual presentation for a user on the client device; and
asynchronously sending the request to invoke the API hosted on the server;in response to receiving the request to invoke the API hosted on the server, invoke a security handler configured to process the request in a manner that mitigates a plurality of different types of security attacks; wherein the plurality of different types of security attacks includes at least replay attacks, and the security handler is configured to prevent a replay attack; invoke the API; and send a response comprising output data generated by the API to the client-side component; wherein receipt of the response causes only a portion of the visual presentation corresponding to changed data to be updated without refreshing the entire display. - View Dependent Claims (18, 19)
-
-
20. A non-transitory machine-readable storage medium storing instructions which when executed cause one or more processors to securely invoke a server-side Application Programming Interface (API), the instructions comprising instructions for:
-
receiving, from a client-side component of a Web application, a request to invoke an API hosted on a server, wherein the request is generated by a client device executing instructions written in a scripting language, the executed instructions displaying a visual presentation for a user on the client device; and
asynchronously sending the request to invoke the API hosted on the server;in response to receiving the request to invoke the API hosted on the server, invoking a security handler hosted on the server, the security handler configured to process the request in a manner that mitigates a plurality of different types of security attacks; wherein the plurality of different types of security attacks includes at least replay attacks, and the security handler is configured to prevent a replay attack; invoking the API on the server; and sending a response comprising output data generated by the API to the client-side component; wherein receipt of the response causes only a portion of the visual presentation corresponding to changed data to be updated without refreshing the entire display. - View Dependent Claims (21, 22)
-
Specification