We have a web application in Spring MVC and also the web services are implemented using Spring Web Service. They are SOAP based.
I have couple of queries in CSRF front.
If there is a CSRF vulnerability for SOAP based web services? I dont think it should be as SOAP is XML. But still not sure if I am missing out on any thing.
If there is CSRF vulnerability for SOAP based web service, then how can a incoming request be validated? As for CSRF the token is once generated by the server and then the client (usually browser) send that token again to the server. How is this possible with web service calls.
Any inputs on this will be a help. Thanks in advance.
If the SOAP service authenticates requests using user ID and password sent in the SOAP header, then it will not be vulnerable to CSRF attacks. Note however that if that service is used by a Web application, then the Web application itself may still be vulnerable to CSRF attacks.
Only if you are authenticating bys somehting that will be sent by the client / User Agent / Browser automatically - such as a Cookie or NTLM / Kerberos token.
In this case an attacker could host a website that posts soap to your application and confince the user to visit it. The friendly browser would just punt the Cookie in with the request (or automatically authenticate with windows if set in browser/site).
Related
I am having WCF client which consumes SOAP based web service which has OAuth authentication. My WCF service gets consumed by some other service but my issue is about authentication when it consumes web service.
My WCF client, consumes web service using proxy generated classes approach. I am able to get Bearer token for OAuth authentication and pass it to request http header as well however, proxy generated class expects binding configuration as well.
var client = new ExchangeServicePortTypeClient("EndPointConfigurationName", "WebServiceURL")
I have tried basicHttpBinding, customBinding (AuthenticationMode="IssuedToken/IssuedTokenForCertificate/IssuedTokenOverTransport"), wsHttpBinding (security mode Message & ClientCredentialType 'IssuedToken" but no luck.
I am assuming due to wrong not supported binding configuration authorization bearer token I am sending is not getting accounted.
I am able to consume this web service from console application successfully where I am not using proxy generated classes approach. So I just required to pass authorization bearer token in header and no binding information.
request.Headers.Add("Authorization", "Bearer " + accessToken);
Can someone please suggest what binding information I should add in my WCF client which can support OAuth authentication ?
Thanks,
I have Web API server and client in browser. Now i want to realize authentication system. Is it good way to store authentication tokens in cookies on client and make every HTTP request with 'Athorization' header(set this header from cookies)?
I have web application which structure is as-
webapi : django web services [NOT REST] no security implemented
frontend : Angular2. authentication implemented via SAML
Database : Mongodb
Can you please suggest best way to secure webapi, as currently anyone can access web services who has server[api] url
It will be big help if you suggest the authentication and authorization flow because I am totally stuck.
Thanks in advance.
Implement an /authentication on your API which accepts Basic authentication. Make sure you do that over HTTPS. Username and password will be collected by your Angular app and sent back to /authentication. If the user authenticates, return a session token, for example JWT (check pyjwt).
All the following communications between the front and back should contain the token, which is issued only if the user authenticated. The token is inclued in the request headers and specifically in Authororization header using the Bearer schema:
Authorization: Bearer <token>
A JWT contains the username so you can use that on each future request. Furthermore, you are not required to keep record of the issued JWT since each one is self-contained and can have predetermined expiration data.
Currently we are using wso2 IS 4.1.0 version, entitlements service for policy decisions. As entitlement service is a secured service we authenticate and get the cookie then pass the cookie along with the entitlements service requests. we are using jsessionid cookie and ran into a situation where if the wso2 is goes down we have to restart our app as it has a stale cookie we refresh the cookie on a time interval every 15 min. Is there a way in wso2 is to persist the cookie if it get restarted. we tried commenting the inside wso2is-4.1.0\repository\conf\tomcat\carbon\META-INF.
Can you suggest on how we can configure for persistence of jsessionid cookies in wso2is
Thanks
Kishore
User session (jsessionid) is not persisted in server side. So you can re-authenticated after 15min and get a new jsessionid. (If you received an authenticate failure, you can re authenticated). you need to implement PEP in such way.
If you are using basic authentication to authenticate with entitlement service. You can send both cookie (jsessionid) and basic auth header... if cookie is valid it would be authenticate with cookie, if not use basic auth headers and returns the new cookie to client. you can find some java code for this here.. but this is not for entitlement service but you can use....
[1] https://github.com/soasecurity/soasecurity/blob/master/user-mgt/client/remote-user-400/src/main/java/org/soa/security/sample/user/mgt/SampleUserRoleMgtClient.java
i'm developping a mobile application in Android and blackberry, I want that Users can connect from their Smartphones to Webservice witch will verify their login and password in an Oracle Database, I should maintain connection between Client and server within Sessions.
my webservice should be under apache Tomcat using Axis2.
how can I implement this Session via Soap Messages ???
Thanks in advance :)
its best if you could get this without having to maintain sessions. if maintaining session is a must, you'll have to pass authentication details with each soap request along with a token or a session status object where at each end you'll be manually updating with status.