We have intranet based notes applications. We need to create a web service provider from notes and it needs to be consumed from other internet based application.
Note- the consumer will be triggered from external environment not from our network.
For Eg: Network X is ours, all the note application works only in network X(not in internet). It means that single sign on is not enabled. The external application is in network Y.
We have a provider and it works fine in our end. But we need to consume it from the external application, it is ASP .Net.
Question :
Does Single Sign on need to be enabled in our domino server?
Is there any possible to consume my provider without enabling single sign on from external application?
Which is the secured web service scenario in Lotus notes domino?
We are using notes 8.5.3.
Thanks in advance
I will start a response, but I'm afraid that you didn't gave enough information to get the response you need.
Basically, your WS provider is anonymous, so a consumer calling it from the Y network will act as anonymous.
[edited]
From your network Y, simply open the WSDL to check that you have access:
//server/yourdb.nsf/WS_name?wsdl
Using tool like SoapUI, try to consume it.
According to you remark (hello word) you don't need what I mention below about security. I suggest you to read Creating your first Web Service provider and consumer in LotusScript and Java.
Security
If the data you want to send are publicly accessible, you have not to care about security and SSO. If in contrast you need to give access thru your WS to a limited audience, you will have to read and do what IBM recommends:
How to secure a web service hosted on a Domino server
I suggest you to provide some information:
in which language is the WS (LS / Java)
how/what ganularity did you implement the security (reader field, or ACL)
What is the data you
are returning with your WS
Related
Is it possible to block connections to a web service (server) from outside its domain?
For example consider a web app that fetches data from Twitter's API using Twitter's "application only auth". The web app's client uses AJAX to call it's own server, which in turn calls Twitter's API with Twitter's token.
While the token is never exposed to the client side code is there anything to stop an outside server side app from calling the web app's server using the URLs used by the client and for example exhausting the Twitter tokens rate limits?
Is it possible to block connections to a web service (server) from outside its domain?
Certainly. Set your web server's access control lists to drop connections from outside of your IP range. Alternately, install a firewall. That's very straightforward, but I suspect you mean something else by "outside its domain?"
From your description, you seem to be really asking whether you verify that you're only talking to your own client application. As a general rule, no. You can authenticate users. That's easy. If the user isn't logged in and authorized to use your service, you don't forward requests to Twitter. But you can't authenticate applications.
If you're going to accept any user who shows up, you can't stop them from using whatever client they want. There is no way to ensure that it is your unmodified client if you've allowed it to be run on their machine. They can always modify it, and they can always send you arbitrary traffic from other programs and you can't tell the difference. On the network, bytes are bytes.
It's not all hopeless; there are things you can do. See https://stackoverflow.com/a/9183066/97337 for another version of this question, and links to several other versions of the question. (They're not exactly duplicates in how they're asked, but they all wind up being basically the same answer.)
You should secure your web service with user and password security or certificate security. The basic idea is that the web service client must authenticate in order to call your web service.
Here are some technics (there are others or variations):
1) HTTP basic authentication and HTTPS
2) Mutual SSL authentication - Also called two-way authentication, is a process in which both entities authenticate with each other. The server presents a certificate to the client and the client present a certificate to the server.
3) With SOAP web services you can use WS-Security standard.
4) OAuth framework
5) With Rest services you can use options 1), 2), 4). Or implement one by your own. This are good recomendations.
As you can see, there are a lot of ways to secure a web service.
Would I be right in thinking that a Web service's API is a client of the Web service, which provides function names to access the Web service?
Not exactly, although the last part of your statement may be correct..ish.
API stands for "Application Programmer Interface" (or something along those lines anyway). Basically, an API is a set of specifications, telling a using party (the client) how to access some resource (the Web Service).
A client can for instance be an application which connects to a service in accordance with the specifications in an API. This is a general principle (not only for web services), and can be really simple, like for instance the following:
https://www.google.com/search?q=catnip
This is a search query to google. An API states that the value of the parameter q (passsed in the url using ?q=<some value>, should be searched for.
A client could be your web-browser, or any other application which passes that query to Google, and receives the answer it provides.
Sidenote: The same API also states that there can be more data in the url, such as format, client-information, etc: https://www.google.com/search?client=opera&q=catnip&ie=utf-8
I have many webservice that they use wsdl. I want to use ESB for relation between webservices.
I don't know choose mule, is it correct or no?
I search about this problem I find wso2 esb, I don't know it's good for my work or no. I'm very confused.
I don't know how do I do?
Please help me.
You can use as well Oracle Service Bus as well.
Here are some notes i do for a coleague asking same question:
One thing to know about ESB is that there is not perfect definition for it. The scope and role may vary depending on the needs.
One of the most important things that you can do via ESB is to decouple the client from the
service providers
ESB helps to have:
● a service location transparency
● sharing of services accross the enterprise
● separate the business service from service implementation
Esb Capabilities :
Routing
The ability to redirect a client request to a particular service provider based on deterministic or
variable routing criteria.
Types of routing to consider:
● static or deterministic routing
● content based routing
● policy based routing
● complex rules based routing
Message transformation
The ability to transform the client request to the format the service provider expects it.
Most used transformations are:
Xml -> Xml
Xml -> Cobol
Object -> Xml
Xml -> Json
etc.
Message enforcement
The ability to enrich,enhance the message that comes as request as the service provide
requires.
Types of message enforcement:
● Date format conversion
● Data conversion (ex: transform spaces to 0)
● Rule based enhancements. (ex: if message is from x add some information to the
request)
Protocol transformation
The ability to accept from the consumer one type of protocol as input (ex SOAP/JMS) and
communicate to the service provider other protocol (ex: IIOP)
Service Mapping
The ability to translate a business service into the corresponding service implementation and
provide binding and location information
Message Processing
The ability to manage state and perform request management by accepting an input request
and ensuring delivery back to the client via message synchronization.
Process choreography
The ability to manage complex business processes that require the coordination of multiple
business services to fulfill a single business request.
Service Orchestration
The ability to manage the coordination of multiple implementation services.
Transaction management
The ability to provide a single unit of work for a business service request by providing a
framework for the coordination of multiple resources across multiple disparate services
(see more WS - Coordination)
Security
The ability to protect enterprise services from unauthorized access
ESB should provide 4A’s of security :
Authentication
Authorization
Auditing
Administration
What have you tried with Mule and WSO2 ?
All ESB can interact with WebServices. An alternative to Mule and WSO2 would be to use Apache-Camel. They have a nice support for Web Services.
This is a similar situation to the one raised in this question:
Javascript Calling a Rest API with App Name and App Password - How Can i Secure it
Here is the architecture overview:
The site is Html5/jquerymobile
It contacts what I call a "Wrapper" service.... This is a REST API I wrote in C#, to contact another 3rd party REST API. I do this because there are credentials in the Header and the API uses Basic Authentication. Credentials are therefore not publicized as they are only known server-side.
My "Wrapper" service does not currently implement any additional security. It is currently accessible from anywhere. The easiest and quickest way to lock it down is to restrict by IP, so no other IP anywhere except the server can actually contact my wrapper service.
The questions:
Is the locking by IP the only way to ensure that the API won't get hammered if it was otherwise accessible from anywhere?
If I convert this using Phonegap (which I have... and deployed successfully on Android), obviously the native app won't work if the web service is restricted.
Is there a way around this so I can allow traffic only from the mobile app, and not from any other source? I'm thinking along the lines of MD5 hash or something that could be sent to the wrapper API.. but unfortunately I'm thinking that info can easily be "sniffed".
Is my only viable option here to release the app as a web app, forcing browser use, thereby removing any concerns about allowing my web service to be hammered??
I believe the answer to this is a combination of a user token and encrypting the message through SSL.
The server can issue a valid user a token so we can identify him in future requests.
Encrypting it via SSL will ensure that this token cannot be sniffed.
https://security.stackexchange.com/questions/12531/ssl-with-get-and-post
Why WS security is needed to provide tokens,signatures etc if there are ssl communication to achieve this purpose? How can WS security used to provide integrity,confidentiality and authenticity that ssl can't provide?simply why ws secuirty(If possible can you provide any example)
If business partner of paypal using paypal's web service in its website.If that web service is asking for username and password of its customer,how paypal can protect customers data from there Business partners?How soap transaction can take place between customers,paypal and its business patners?plz can you explain how WS security concepts ( provide integrity, confidentiality,authenticity) in this case?
The main difference is that HTTP related security mechanisms secure the transport layer of the web service, and WS security addresses a higher level of abstraction.
similarly, you may have also security solutions in higher (for example: encrypt just a specific password field in a web service) or lower levels (like VPN)
Different scenarios will require different security measures in different layers
Some examples:
Web Services are not limited to HTTP transport - your environment may include other transports (like messaging using JMS, MSMQ, etc). setting up security at the Web Services layer (rather then the transport layer) will allow you to use a common mechanism for the whole environment.
Another issue is that http level security information is "pealed" as you go higher in the Web Services Stack - for example, in many places you wont be accessing the service provider directly, but through a central ESB (Enterprise Service Bus). the ESB acts as a central hub for services, and may also perform tasks such as logging, routing, publishing to multiple service endpoints, etc.
When using an ESB the http connection is broken at the ESB, and the service gets a new http connection originating from the ESB - thus http security mechanisms cannot offer end-to-end security.
WS Security information however can be preserved even if the messages are routed through an ESB
What you describe in you last comment appears to be not related to the previous answer
Do you mean they have a mechanism like OpenID or kerberos, where you can use your credentials from one site to access a different site?
This isn't specific to web services, and there are various existing protocols to do it (my guess is that they use an existing protocol). Of course a similar mechanism can be developed using WS Security standards.
The kerberos protocol for example works like this:
1. The user authenticates to the security server
2. the security server replies with a signed message (called ticket) saying "the user 123 has been authenticated"
3. The user uses this message to prove that he is indeed user 123 to the 2nd site, without the need for the 2nd site to actually get his username password.
This protocol is based on encryption and cryptographic signatures - both are available using WS security.
SSL (TLS) security will protect the user from eavesdropping. But it won't protect you (your site) from malicious users. You're still vulnerable to buffer overflows, SQL injection and so on.
For a great example watch the "How I met your girlfriend" talks by Samy Kamkar at Defcon (shorter) and at Blackhat (longer). Samy explains using web application vulnerabilities to breaking into an account (in this case it's Facebook) of someone who uses SSL.
The main difference between SSL and WS-Security is, SSL is transport level but WS-Security is message level... In other words when you use SSL - as soon as the message left the transport channel - its not secured. But with WS-Security message will be still secured and message security is independent from the transport channel.
With WS-Security,
Authentication --> UsernameToken
Non-repudiation --> Signature [XML
Signature/WS-Security] Confidentiality --> Encryption [XML
Encryption/WS-Security]
Integrity --> Signature [XML Signature/WS-Security]
Pure SSL provides Authentication/Confidentiality and Integrity - but not Non-repudiation.
2-legged OAuth is a standard to support Non-repudiation over SSL.
Thanks...
WS or Web Service Security is an extension of SOAP which applies security to different web services. Ws-Security uses XML signatures and encryption to provide end to end security. Main focus of this protocol is to specify how integrity and confidentiality can be enforced in messages exchanges between user and service provider on web such as Paypal. This service also allows communication of different security token formats like SAML, X.509, Kerberos etc. Unlike HTTP protocol which mainly focuses on providing security at transport level, WS security mechanism implements higher level of abstraction in application layer and provide encrypted security solution.
Since need of security is different on every platforms, these two standards focuses to meet distinguish need of such security platforms. With the help of this security, end to end security, non- repudiation, reverse proxy, transport bindings etc are improved.
In general terms you can say that this service is another method to provide better security to data exchange platforms and user’s privacy. There are many other services/software which does same task like TOR (provides integrity to user privacy), ScrapeSentry (a service which provide security from bad bot traffic and spam), Distil Network (another service to block spam on web spam) etc. However concept of every security mechanism is different but their main motive is to provide constant and reliable security to user as well as businesses.
Good day people,
the SSL/TLS technology is a security technology. Its goal is to protect the user from having his/her information (credit card, address, tel number...) being stolen by a hacker. The SSL certificate will protect the website and each person who connects on the website will be sure to have a secured environment.
The quality of the security depends on the type of certificate installed on the website in question, whether it is DV (Domain Validation), OV (Organization Validation), EV (Extended Validation), if the SGC technology is present or not.
If you have any other questions, you can have more details here.