wood burning stoves 2.0*
The moose likes Web Services and the fly likes Web services security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "Web services security" Watch "Web services security" New topic
Author

Web services security

ramanika kollareddy
Greenhorn

Joined: Sep 04, 2008
Posts: 8
Hi all,

I have a requirement to add security to webservices in a J2EE application where the clients are other applications. The application handles pure http and soap requests that need security. The application runs on weblogic and Spring is used for autowiring the components.

I am leaning towards PKI approach. But not sure as how to implement it.

Any pointers to the examples and preferable techologies would be highly appreciated.

Thanks a lot in advance.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41613
    
  55
WS security has several components, like authentication, encryption, and digital signing. Your comment about PKI leads me to believe that you're interested in encryption; is that correct? If so, that's what the WS-Security standard addresses (for SOAP), which these days is supported by all major WS implementations. Which API or SOAP stack are you using?

For HTTP/Restful service you'd need to go with HTTPS for encryption.


Ping & DNS - my free Android networking tools app
ramanika kollareddy
Greenhorn

Joined: Sep 04, 2008
Posts: 8
Hi

Thank you for the prompt reply.

I am new to webservices and security.
I need to do authentication and authorization but the client requests might not always contain the user credentials information.

I am not sure about your question about SOAP stack. We have a axis based webservice generated from an existing pojo.

The SOAP clients uses dot-net to access this webservice.
The http clients use direct http url that we provide for the client requests.

I am not sure what type of security authentication and authorization to proceed with and whether to implement it at weblogic server or use spring or any other techology.

Any more pointers and useful information in terms of books, methodologies, technologies and examples would be highly appreciated.

Thanks in advance.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41613
    
  55
The WS-Security standard can provide authentication; authorization is really outside of its purview.

The Rampart module implements WS-Security for Axis; you can get it from the Axis web site.
WS-Security is also available for .Net, but I can't point you to where to find information on that.

By "HTTP clients" do you mean RESTful clients that do not use SOAP, or just sending XML over HTTP? If so, you can't use WS-Security (which is only for SOAP-based services); but HTTP Basic Authentication would work for that.
ramanika kollareddy
Greenhorn

Joined: Sep 04, 2008
Posts: 8
Yes. the http client requests are simple http requests passing xml.

Few more questions:

1) Is HTTP Basic Authentication useful/fast in case of thousands and thousands of client requests per second?

2) Is there any other mechanism to deal with high volume requests? How about the cases where the client requests without user credentials still need to be processed and thus pass the security mechanism?

3) Also is http basic authentication be used with weblogic server?

Thanks in advance.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41613
    
  55
1) Is HTTP Basic Authentication useful/fast in case of thousands and thousands of client requests per second?

Basic Authentictaion is quite simple, so it doesn't take a lot of processing. Thousands of requests per second of course requires serious hardware, certainly several load-balanced servers.

2) Is there any other mechanism to deal with high volume requests? How about the cases where the client requests without user credentials still need to be processed and thus pass the security mechanism?

I'm not sure what you're asking. If a request comes in that doesn't need to have authentication applied, then don't check for it.

3) Also is http basic authentication be used with weblogic server?

Basic Auth is part of HTTP, and thus supported by all compliant servers.
ramanika kollareddy
Greenhorn

Joined: Sep 04, 2008
Posts: 8
Hi

Couple of quick questions:

1) Is there a way to have security common to soap and simple rest style http requests at the servlet level? like using an interface that has authenciation/authorization methods. Also can servlet filters be used instead?

2) how to generate the security tokens and store them. Is there a tool that can be used for this?

Any pointers to examples are highly appreciated.

Thanks in advance for your time.

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41613
    
  55
ramanika kollareddy wrote:Is there a way to have security common to soap and simple rest style http requests at the servlet level? like using an interface that has authenciation/authorization methods. Also can servlet filters be used instead?

Most SOAP and REST implementations in Java use servlets underneath - so it's possible to use the common HTTP security measures, like SSL and Basic/Digest Authentication. In that case, it's best to keep the code that deals with that out of the service code itself, and use a filter instead (which could be used for both kinds of accesses).
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Web services security