• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Paul Clapham
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Liutauras Vilda
Saloon Keepers:
  • Tim Holloway
  • Carey Brown
  • Roland Mueller
  • Piet Souris
Bartenders:

Web Service Security

 
Greenhorn
Posts: 6
IBM DB2 Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I have written a web service for new user enrollment which will be used by our trusted 3rd party services but i found that anybody who come to know the web service url can enroll the user. Can you please let know what do i need to do to make sure that the request coming is coming from a valid party?

 
Rancher
Posts: 43081
77
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sounds like the service does not use authentication. A username/password scheme would be a good start. If I may point to something I've written, start reading at http://www.javaranch.com/journal/200603/Journal200603.jsp#a2 and then http://www.javaranch.com/journal/200709/Journal200709.jsp#a3. Those articles assume that you are using the Apache Axis SOAP stack and its Rampart WS-Security module.
 
Vijaya Patil
Greenhorn
Posts: 6
IBM DB2 Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:Sounds like the service does not use authentication. A username/password scheme would be a good start. If I may point to something I've written, start reading at http://www.javaranch.com/journal/200603/Journal200603.jsp#a2 and then http://www.javaranch.com/journal/200709/Journal200709.jsp#a3. Those articles assume that you are using the Apache Axis SOAP stack and its Rampart WS-Security module.



Thank you Ulf!!
I could implement WS-Security using Axis 1.5.x successfully using your doc. I will try to use Axis2 now.
 
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Keep in mind that it is better to NOT code anything related to security-related functionality in the logic of the web service or in the logic of the application that the web service connects to.

If the web service is SOAP-based, then the common best practice is to create a server-side message handler and configure it via handler chain. Code the security logic in the message handler.
 
Vijaya Patil
Greenhorn
Posts: 6
IBM DB2 Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Jimmy I will take note of that.

I was busy with different priority in project so coming back to this I have another question -

After going through your links and some other stuff I know of following approaches which can be implemented.
I want to know which one is better

1. Configure username/password for each web service operation invocation.
2. Configure username/password to invoke authenticate() operation first which will generate a token and send it back to client.
Client to use this token to call subsequent web services operation.

or let me know if there is any better approach other than these.

 
Ranch Hand
Posts: 112
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Option 2 is what is typically used. Authentication is typically for a application(and not operation). If you want to control operation level access then i would guess that this would come under scope of authorization. You can decide what authorization mechanism you use to limit users to specific operations only.
reply
    Bookmark Topic Watch Topic
  • New Topic