We have a new security person at the office doing some penetration tests on the APIs I've put in place.
He pointed out that we are not using WS Security on top of the JSON/REST service we are exposing over HTTPS to the outside world.
My question is,
is it really possibly to combine WS Security with JSON/REST services?
To my knowledge, WS Security have nothing to do with JSON/REST service at all.. It is used for regular Web services, embedding extra security elements in the SOAP envelope.
But, we are not using SOAP for the APIs...
Related
I need to connect to a site's endpoints and call it's methods.
Is it possible to do this creating a WCF Client?
I don't know which technology is used by the site for it's
web services. I have only been given the endpoints to communicate.
If you know the local address and port as well as the name of the service, the procedure is the same as the WCF Web service.
I have generated a JAX-WS web service with RAD 8.5 which automatically generated an endpoint for the service at "http:endpoint". I generated a client for the web service from the WSDL and added transport security (SSL) to the web service and added a secure endpoint using the following line of code in my client:
proxy._getDescriptor().setEndpoint("https:endpoint");
Everything seems to work fine. My question is do I need to do anything about the existence of the original endpoint ant "http:endpoint". This is an in-house web service so all of the apps which use it in house will use the secure endpoint, but is the availability of the unsecure endpoint a security risk for the web service? If so, what do I need to do to fix it? Any help would be appreciated.
I am not familiar with the Framework you are using, but there should be a configuration in your proxy to not allow http calls at all. If you have that option, turn it on so that your service only listens on port 443 (secure port).
An alternative would be to rewrite all http requests with https.
I know too little SOAP theory and need some help.
Imagine a web service and a client. There is also a gateway (facing the internet), which requests have to be relayed through.
The client authenticates with the gateway using a client certificate (transport security).
The gateway, in turn, uses message credentials to authenticate with the web service.
My question: Is it reasonable that the gateway, after getting the response from the web service, forwards the Security header to the client?
I'm thinking that it "feels" like that should be for the GW -> Web Service link only, since the client didn't use any message security in its request but am I right or wrong?
You're talking about three completely different layers of the network stack. Whether you encrypt your transport with HTTPS has absolutely nothing with whether or not you wish to protect your message payload with WS-I security.
Two good articles on WS-Security (at least from a Microsoft/.Net perspective):
http://msdn.microsoft.com/en-us/library/ms788756%28v=vs.110%29.aspx
http://msdn.microsoft.com/en-us/library/ms977327.aspx
In answer to your question: if you have a SOAP security header, then you ARE using WS-Security, and the client IS passing it to your web service link. Typically, this is transparent to both your client code and your server code; it's handled by the "middleware" in your .Net libraries.
I am trying to write a web service client using Jax-ws for a secured webservice hosted by a third party. While doing so, I am facing a lot of issues and somehow wanted to find out if the issue is with my client or the hosted web service.
Do we have any publicly available and free secure web services on the internet? I can find many non secure services.
Have a look at this URL:
http://www.webservicex.net/ws/wscatlist.aspx
... where you can find a bunch of published webservices.
I exposing EJB3.0 stateless session bean as web service using JAX-WS annotations and right now I'm using JBOSS5.1.0 GA as application server and JBOSSWS is generating the WSDL for me when I deploy the EAR.
Now I want to secure the web services by providing authentication and encryption-decryption on the SOAP messages. How do I can achieve that, Is there any annotations available for both in JAX-WS (or) can I achieve by doing any configuration at EJB level. I do not want to do secure web services with respect to JBOSS, because I want to deploy the same EAR in different application as well.
So please help me to build the generic EJB3.0 web services bean with the security implementation ., Thanks a lot in advance
Concerning SOAP WebServices, you can a lot of posts in this forum related to your question. In particular in User authenticate in SOAP I've mentioned that there several ways to authenticate the client.
Supposing that you want to authenticate the client by X.509 certificate. Then:
For JBossWS refer WS-SecurityOptions – X509 Certificate Token
For Metro/JAX-WS services refer Using JAX-WS-Based Web Services with SSL
For Apache CXF refer WS-Security
For Spring Security refer Spring Security With X.509 Certificate