This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Web Services and the fly likes Securing Web Services Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Securing Web Services" Watch "Securing Web Services" New topic
Author

Securing Web Services

Russell Ray
Ranch Hand

Joined: Apr 25, 2005
Posts: 116
I am hoping others in this group can provide me some solid feedback concerning web services and securing them.

The task at hand is we have two application servers--WebLogic and WebSphere. We are looking for a uniform approach.

We have instituted a userNameToken approach within the Header, but all the examples we see are clear text examples. We would like to encrypt the password. This leads us to the next level of security and how it should be implemented. My initial design is for the handlers to encrypt and decrypt the password using a private key.

I would like to hear from others who have used encryption and how they tackled the process........

Thanks in advance
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41180
    
  45
Before you tackle encryption, have you looked at using a digest password instead of cleartext? It's just as easy to set up, although your Handler oin the server will need to work a bit differently.


Ping & DNS - my free Android networking tools app
Russell Ray
Ranch Hand

Joined: Apr 25, 2005
Posts: 116
okay, I looked at message digest briefly and thought this was good. Can you point me in the right direction? I need examples.......
Russell Ray
Ranch Hand

Joined: Apr 25, 2005
Posts: 116
duh........google it silly.......
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41180
    
  45
You may have figured it out by now, but in case you're using something like WSS4J, instead of using
<parameter name="passwordType" value="PasswordText"/>
you would use
<parameter name="passwordType" value="PasswordDigest"/>

while in your server-side PasswordCallback, you need to set the password that you're expecting for the user, instead of getting it. That's because a digested password can't be undigested into cleartext, but the expected password needs to be digested as well.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Securing Web Services
 
Similar Threads
Securing Web Services
Programming .NET Web Services - Release Announcement - O'Reilly
securing webapplication
Secure Web Services
encrypt password