I have a client written by C, it uses libcurl to send json to a restful api service(say it server). The server was written by java, the restful api was implemented by jersey, one of JAX-RS( It's very simple and can switch to another JAX-RS implementation). Now I want to do some security work between the C client access to the java restful api server. I searched on the Internet that seems I should use kerberos or spnego for the HTTP access. I met some problem.
I want to use kerberos/spnego authentication. But I look through the security part of jersey doc (https://jersey.java.net/documentation/latest/security.html) and I didn't found any kerberos related doc. Do you know whether jersey support kerberos ?
If I switch to Apache CXF,is it easy to switch ? I checked the doc about CXF kerberos support. Looks like it's too simple, do you have any detail doc or simple example to support kerberos authentication when using Apache CXF ?
If there is anything wrong, please correct me. Thanks.
This is achievable with Jersey. Jersey Client uses ClosableHttpClient in its implementation.
If you want to use SPNEGO authentication scheme for Kerberos, you may have to write a custom Connector and ConnectorProvider [ I haven't found a way to set AuthenticationScheme with ApacheConnector].
Check this post too for reference if it solves your usecase Can JCIFS be used with Jersey? :)
Related
I have been provided with a SOAP 1.1 WSDL and a Password protected P12 X509 certificate to connect to a web service to periodically transmit records. I have also been provided with a how to guide to sign the message using the X509. The example provided illustrates how to sign the message and provide appropriate security message headers. The sample code is in Java, and includes functions for signing the message which interact with the SOAP message directly.
The application I'm writing is a c# console app with entity framework elements to retrieve the data.
My question is related to the best approach for tackling this problem:
Use WCF with static configuration where possible.
Use WCF with programmatic configuration (e.g. using custom
MessageHeaders).
Use WebRequest/WebResponse and craft the messages manually.
Use WSE 3.0 and convert the WSDL to a proxy class using the older command line tools.
I've been investigating the WCF routes - WCF is ideal if you control both sides of the equation - but the articles are thinning out for my specific use case.
I am new to services. I am sorry for my question being a little theoretical. On a site I was reading about SOAP, they said it works over internet.
Can we use SOAP based services in intranet environment ?
Can we use HTTP over intranet or it is just a internet protocol ?
Please guide.
You can use SOAP over any TCP network. This could be internet or intranet. SOAP is an interoperable protocol over HTTP. And HTTP works over TCP. So everywhere you have HTTP you can have SOAP. Basically SOAP is a protocol which allows for heterogeneous systems to communicate using an industry defined standards.
And note that SOAP is getting less attention lately compared to REST which is starting to gain lots of momentum.
SOAP is a service supported by a server/web service. You can even use SOAP to translate data between two services on the same server box that have no other form of API.
I have web service secured with SPNego (HTTP challenge returns WWW-Authenticate: Negotiate). This security mode is also referred as Windows integrated authentication. Is it possible to use SoapUI to test this service? It looks like SoapUI (4.0.0) ends communication once it gets challenge 401 HTTP response instead of following negotiation algorithm.
please see answer to the same question here:
Testing web service with SoapUI and Windows authentication
working solution is to use proxy for adding Windows authentication headers to your requests
Can I use Java Servlet as a Rest web service?
And how to request using curl to servlet?
thank
Sure you can use a (raw) servlet to create a REST service. But that is too much work knowing that there exists a standard API for this (JAX-RS JSR-311) and many frameworks implementing it :
http://www.jboss.org/resteasy
http://cxf.apache.org/docs/jax-rs.html
http://jersey.java.net/
I have a Axis2 web service secured using Rampart. I do want to develop secure clients for it, preferably JAX-WS based. I tried a lot of tutorials but they are so closed tied with each other, like including Axis2 libraries in the client side. The client should be fairly independent of the WS service framework, as the service can be consumed by .NET based clients or even PHP based clients.
Thanks in advance...
As I understand it, you would want to be able to feed the policy defined for your Rampart secured web service into your JAX-WS client.
That ought to be doable. As you say-- the idea is to be able to execute different client and server technologies, standardized around WSDLs...
We're only just getting into this - so I don't have any hands on knowledge for you.
But I would think you should be able to copy the policy info for your rampart on the server in the services.xml file and put it in your client.
This seemed pretty helpful:
https://metro.dev.java.net/guide/
Sections 12 and 18 in particular.