Say that I'm running an application on WebSphere Application Server and in some Java class, it makes a REST call by providing a client and client secret to receive a refresh token for OAuth2, and then later at some point, it also makes a REST call to by providing the refresh token to receive an access token.
The source code is obviously not going to be visible to debug through and inspect these values, but my question is that can the values being passed in these REST calls (namely the client secret and refresh token) and the response (access token) be viewed by someone who has access to the machine running the server?
The reason I ask is that I am thinking of storing these unchanging values (client id, client secret, refresh token) somewhere where they cannot be viewed by anyone other than through a JDBC connection in the Java code, and I plan to use these values for authentication purposes with some server somewhere. I do not want the person who this application is being used by to be able to view these values because if they can, they can do some damage by accessing other public APIs on the server.
I intend to only let the Java code (backend) interact with the server for authentication and grabbing some resource, but I do not want to allow the person who has access to this machine (but does not have access to where these values are stored) to view the details of the REST request and response.
Thank you.
It's unclear which server you're referring to in various places.
If you make an outbound HTTPS request from a WebSphere server to a 2nd server, you have to assume all details of the request and response are visible to the operators of the software on both sides.
Either side can trace all of its own input and output.