Tomcat IP restriction vs Two Legged OAuth

Question

We have a server side API that is completely REST based. We are coding to secure them with two legged oAuth type authentication. We are planning to iPhone and Android apps in the future, but for now, we have a client application that will be allowed to connect to our server APIs. The UI and back end (REST) may be on the same server or different server.

My front end team tells me that given that this is an internal app, we don't need to secure them with oAuth, just as we would not need a key for each room of our own house. We can just use Tomcat IP restrictions as to what servers/IPs can access these APIs. It would be unnecessary and overkill to use oAuth type authentication for internal apps.

Is my front end team right? What is the advantage of securing REST APIs with oAuth for internal apps? We don't plan to use SSL initially, as this is a consumer, SaaS application

Answer 1

Are you talking about the authentication between users and the front-end app? or the front-end app itself and the backend?

I guess as with almost anything security related, it depends. You'd need to consider the value of the data available through this app, and compare it with the exposure it might have to compromise (external but also internal). It might or might not be sufficient using source-IP filtering, or even OAUTH, depending on this risk profile.

As for the analogy with the keys to the rooms in the house. True, you don't normally need keys to every room in the house, but when you go to the toilet, you might want to lock the door, just in case someone walks in on you. Or if you want to store the precious necklace your grand-grandmother used to wear, you might want to consider putting it in a safe. Or when you have lots of guests at a party, you might put all the expensive china in a storage room and lock it away and only leave paper cups... hope you see where this is going (and don't forget to invite us to the party!)