I need to access the SOAP web service methods via ColdFusion CFHTTP. I can able to access the SOAP web service method. But, It's asking Wsse security header. I need to pass the wsse security header in the SOAP request. So, I searched with Google and found there are two types of security one is basic authentication and another one is binarysecuritytoken.
I need to use binarysecuritytoken. http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-x509TokenProfile-v1.1.1-os.html
But, I'm not sure how to do that in ColdFusion.
Could you please help me to complete this?
Thanks in advance.
Related
This is a similar situation to the one raised in this question:
Javascript Calling a Rest API with App Name and App Password - How Can i Secure it
Here is the architecture overview:
The site is Html5/jquerymobile
It contacts what I call a "Wrapper" service.... This is a REST API I wrote in C#, to contact another 3rd party REST API. I do this because there are credentials in the Header and the API uses Basic Authentication. Credentials are therefore not publicized as they are only known server-side.
My "Wrapper" service does not currently implement any additional security. It is currently accessible from anywhere. The easiest and quickest way to lock it down is to restrict by IP, so no other IP anywhere except the server can actually contact my wrapper service.
The questions:
Is the locking by IP the only way to ensure that the API won't get hammered if it was otherwise accessible from anywhere?
If I convert this using Phonegap (which I have... and deployed successfully on Android), obviously the native app won't work if the web service is restricted.
Is there a way around this so I can allow traffic only from the mobile app, and not from any other source? I'm thinking along the lines of MD5 hash or something that could be sent to the wrapper API.. but unfortunately I'm thinking that info can easily be "sniffed".
Is my only viable option here to release the app as a web app, forcing browser use, thereby removing any concerns about allowing my web service to be hammered??
I believe the answer to this is a combination of a user token and encrypting the message through SSL.
The server can issue a valid user a token so we can identify him in future requests.
Encrypting it via SSL will ensure that this token cannot be sniffed.
https://security.stackexchange.com/questions/12531/ssl-with-get-and-post
I have a webapp which has jsps. am not using any struts or mvc framework. We have JAX-RS service build using Apache CXF.
Now i want to do following
Allow user to login with username and password.
For all subsequent calls to webservice, same authentication info should be used.
Logged in user has some details (profile photo, full name), which i want to keep it constant across session.
Also, its role are defined. Based on role(s) only certain jax-rs calls will be allowed.
Roles are also used in JSP to restrict access to functionality.
Web services can be accessed outside so authentication and authorization info should be used.
As far as i understand, We should not use session in jax-rs services. What is the best way to handle above situation ?
The best way depends on how you estimate it.
My way of doing this is to
Run Rest service and JSP on the same instance
Use web.xml and CXF to set up security policy, which allows user/pw authentication and authorization, ROLES binded to both jax-rs urls and JSP urls.
Based on 2, jax-rs services can be called directly outside, but user/pw is required as you specified.
Hope this can help you a bit.
Think cxf security validation as any other http or https validation. you have to intercept the request and pass it to the rest service. You can use any of the tools like siteminder, else can write CXF interceptor to do your own security validation. In the interceptor you can call SSO kind of token generator server in case you have the infrastucture or call the DB if your architecture is built that way. You can use caching to reduce the resource hits and can look at custom or hibernate cache. enabling Https has to be done in server configuration. If you have certificate , you can use the same else you can generate your own using openssl.
I am new to web service, I am done with a web service and created a client based on wsdl of that web service. How can I implement security to the web service so that it will be secured or authenticate?
I googled and got: to add policy annotation in my web service class which will have the name of my associating policy file name. What is this associating policy file or .xml file and how it can be done?
please help
For this you need to use rampart module provided by apache foundation. Therre is something called UsernameToken that you can implement, so that when a a client tries to access the webservice, he needs to provide the user name and password in the password callback method. In the server side also, the password callback method is going to be invoked. There we can verify the received user name and password, and depending on its success or failure, you can either allow the web service to be invoked or throw an exception specifying the reason of failure. It's quite easy. You first download rampart module from apache foundation, and then study the samples given in that archive file.
Best Of Luck
how can i dynamically configure rampart on the service side? I mean I'd like to use different service keys for different clients.
Any hint or link to a tutorial is a big help.
thanks
To clarify, you want the ability to issue a different token depending on the client credentials? This sounds a lot like Security Token Service (STS)
It is possible to accept a range of credential options. Rampart makes you implement your own callback class to verify the initial credentials.
You can implement your own TokenIssuer to customize the response (http://axis.apache.org/axis2/java/rampart/setting-up-sts.html) and either bundle that inside your service archive or externalize it. You can use whatever criteria is fit for determining the responsetoken.
i have an webservive written where any user hit the url can acces the webservice.now i need to set username and password for the webservice so that before accessing the webservice they need to provide the user credentials only valid user would be allowed to access the webservice
how can i achive this functionality. is there any setting tat i need to do
any help would be great
thank you
one way of imposing security to access your web service is to use HTTP security... this can be done at the level of of the web site, of the web server, hosting the web service. for example, IIS virtual directory's properties has the security tab that you can use either basic security or plain text or integrated windows security. this way you will protect the whole web site