wood burning stoves 2.0*
The moose likes Web Services and the fly likes Web Service Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Web Service Security" Watch "Web Service Security" New topic

Web Service Security

Monoj Roy
Ranch Hand

Joined: Oct 10, 2007
Posts: 98
We have developed a webservice and some of the third party out side our client network want to access those .We have to make sure that our Web service should invoked by the correct party .
We thought to create one encription function to encript the password provided by the consumer, now when even the correct party hit our service the password will be encripted send through header of the soap message . When the request comes to server end we decript the password and validate it .

For example lets say the password is p123 . Now client will incorporate some extra text with it lets say XYZ so it will send the password as p123XYZ ,we will make sure that no one know how to convert it to correct password p123 from p123XYZ because decription logic is known to server only . So once the password reaches at server we can apply the correct decription logic and take out the password .

Till now everything was fine . Now question is if somebody in the middle hacked the encripted password .Let say the client application wrongly send the soap XML to some third party and the third party just copied the encripted password and send to actual server .We are not able to understand wheather it is comming from the correct party or a party predending as actual client .

How we ensure that if this encripted password is send to any body but still that party will not be able to hit the web service .
pradeep jaladi
Ranch Hand

Joined: Nov 21, 2004
Posts: 65
Monoj Roy,

Simplest way is enable the https layer and provide your client a public key.

Pradeep Jaladi

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 41129
You didn't say which SOAP stack you're using, but all major SOAP stacks support WS-Security - that's what you should be using to secure your WS. You should never encrypt or decrypt a password, but use password hashing instead (which WS-Security supports). WS-Security can also encrypt your message, if you're worried about that in addition to being worried about password security. That would ensure that a stolen password alone can not be used to subvert your WS.

Using HTTPS in conjunction with WS should be considered obsolete with the advent (years ago) of WS-Security - message-level security has advantages over transport-level security.

Ping & DNS - my free Android networking tools app
Monoj Roy
Ranch Hand

Joined: Oct 10, 2007
Posts: 98
Thanks for your response and guidance .

In our Web service we have used JAX-WS and using RAD and Web sphere application server .Our Web service is in Top Down approach .

After I googled on WS-Security and specially after going through the URL
webpage I understand
We can implement this using WSS4J but still I need two more input to implement this .
1.I need to know what are the component I need to incorporate in my code to make it run for example we have to write handler,update deployment descriptor in server and may be something in client side as well .
2.How it is ensureing my web service will not be hacked if somebody get access to the request soap xml which actually contain password in its header .

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 41129
You wouldn't (and shouldn't) be using WSS4J directly. Consult the WebSphere documentation to learn how to use WS-Security with it; the specifics differ from app server to app server.
Monoj Roy
Ranch Hand

Joined: Oct 10, 2007
Posts: 98
I took some time to go through some internet docs to configure WS-Security , I am trying to apply the security in Web Sphere application server and using RAD .Now I am getting following issue .

Business Need:
In our development project we have a mechanism to expose some master data as web service. We have to make this web service secure from following three points –

1. This service should be password protected. Username /password authentication.
2. The request and response XML need to be encrypted.
3. When this XML will travel through network no one could change it.

Our Approach:

We are trying to implement WS-Security here to get the above business need. I am getting following fault from soap UI

1. Tool- RAD -8.0.4
2. App Server- Web Sphere Application Server
3. WSDL-Java code generation -JAX-WS
4. Security Token formats –X.509
I agree. Here's the link: http://aspose.com/file-tools
subject: Web Service Security
Similar Threads
Axis2 1.4 Client Transport error: 501 Error: Not Implemented
How to call external service(Third party api) from Enterprise bean(Session bean)
IBM HttpServer and websphere Appserver
jsp as web service client
Help needed to call a web service after TAM authentication - (401)Unauthorized