• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Junilu Lacar
  • Liutauras Vilda
Sheriffs:
  • Paul Clapham
  • Jeanne Boyarsky
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Piet Souris
  • Carey Brown
Bartenders:
  • Jesse Duncan
  • Frits Walraven
  • Mikalai Zaikin

Web services security

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

I have a requirement to add security to webservices in a J2EE application where the clients are other applications. The application handles pure http and soap requests that need security. The application runs on weblogic and Spring is used for autowiring the components.

I am leaning towards PKI approach. But not sure as how to implement it.

Any pointers to the examples and preferable techologies would be highly appreciated.

Thanks a lot in advance.
 
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
WS security has several components, like authentication, encryption, and digital signing. Your comment about PKI leads me to believe that you're interested in encryption; is that correct? If so, that's what the WS-Security standard addresses (for SOAP), which these days is supported by all major WS implementations. Which API or SOAP stack are you using?

For HTTP/Restful service you'd need to go with HTTPS for encryption.
 
ramanika kollareddy
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi

Thank you for the prompt reply.

I am new to webservices and security.
I need to do authentication and authorization but the client requests might not always contain the user credentials information.

I am not sure about your question about SOAP stack. We have a axis based webservice generated from an existing pojo.

The SOAP clients uses dot-net to access this webservice.
The http clients use direct http url that we provide for the client requests.

I am not sure what type of security authentication and authorization to proceed with and whether to implement it at weblogic server or use spring or any other techology.

Any more pointers and useful information in terms of books, methodologies, technologies and examples would be highly appreciated.

Thanks in advance.
 
Ulf Dittmer
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The WS-Security standard can provide authentication; authorization is really outside of its purview.

The Rampart module implements WS-Security for Axis; you can get it from the Axis web site.
WS-Security is also available for .Net, but I can't point you to where to find information on that.

By "HTTP clients" do you mean RESTful clients that do not use SOAP, or just sending XML over HTTP? If so, you can't use WS-Security (which is only for SOAP-based services); but HTTP Basic Authentication would work for that.
 
ramanika kollareddy
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes. the http client requests are simple http requests passing xml.

Few more questions:

1) Is HTTP Basic Authentication useful/fast in case of thousands and thousands of client requests per second?

2) Is there any other mechanism to deal with high volume requests? How about the cases where the client requests without user credentials still need to be processed and thus pass the security mechanism?

3) Also is http basic authentication be used with weblogic server?

Thanks in advance.
 
Ulf Dittmer
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

1) Is HTTP Basic Authentication useful/fast in case of thousands and thousands of client requests per second?


Basic Authentictaion is quite simple, so it doesn't take a lot of processing. Thousands of requests per second of course requires serious hardware, certainly several load-balanced servers.

2) Is there any other mechanism to deal with high volume requests? How about the cases where the client requests without user credentials still need to be processed and thus pass the security mechanism?


I'm not sure what you're asking. If a request comes in that doesn't need to have authentication applied, then don't check for it.

3) Also is http basic authentication be used with weblogic server?


Basic Auth is part of HTTP, and thus supported by all compliant servers.
 
ramanika kollareddy
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi

Couple of quick questions:

1) Is there a way to have security common to soap and simple rest style http requests at the servlet level? like using an interface that has authenciation/authorization methods. Also can servlet filters be used instead?

2) how to generate the security tokens and store them. Is there a tool that can be used for this?

Any pointers to examples are highly appreciated.

Thanks in advance for your time.

 
Ulf Dittmer
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

ramanika kollareddy wrote:Is there a way to have security common to soap and simple rest style http requests at the servlet level? like using an interface that has authenciation/authorization methods. Also can servlet filters be used instead?


Most SOAP and REST implementations in Java use servlets underneath - so it's possible to use the common HTTP security measures, like SSL and Basic/Digest Authentication. In that case, it's best to keep the code that deals with that out of the service code itself, and use a filter instead (which could be used for both kinds of accesses).
 
Be reasonable. You can't destroy everything. Where would you sit? How would you read a tiny ad?
Free, earth friendly heat - from the CodeRanch trailboss
https://www.kickstarter.com/projects/paulwheaton/free-heat
reply
    Bookmark Topic Watch Topic
  • New Topic