Say we have hosted a few webservices over over https://mycompany.com/Service
e.g.
https://mycompany.com/Service/Service1
https://mycompany.com/Service/Service2
https://mycompany.com/Service/Service3
As you can see on mycompany.com we have hosted 3 webservices each having their distinct urls.
What we have is a Jboss instance with 3 different web wars deployed in it. When someone hits the service it gets past our firewall and then teh load balancer redirects to Jboss on port 8080 on the requried path and it gets serviced.
the 3 services are consumed by 3 different clients. My question if say Client1 using Service 1 is only given out the url corresponding to it can they use some kind of scanner that can also inform them that Service2 and Service3 are alaso available on mycompany.com/Service?
Irrespective of clients - can anyone simply use some scanner tool to identify what Service Endpoints are exposed on the host?
Kindly note they are a mix of SOAP (WSDL) and Rest based services deployed on same instance of Jboss.
Yes, someone can scan for those endpoints. Their scanner would generate a bunch of 404s in your logs, because it would have to guess the other URLs. If you have some kind of rate limiting firewall, it might take them quite a long time. You should be checking the logs regularly anyway.
If you expose your URL to the public internet, relying on people not finding it is just security via obscurity. You should secure each URL using application-level security, and assume that the bad guys already have the URL.
You may want to consider adding subdomains for the separate applications (e.g. service1.mycompany.com, service2.mycompany.com) - this will make firewalling easier.
Related
I'm working on sort of prototype project. I have two micro services hosted on separate server with different tech stack. Here are some of the endpoints of it
1 User management
-- /users
-- /user/:id
-- /user/roles
2 Other operations (e.g. managing a book, book details)
-- /books
-- /book/:id
-- /book/:id/history
I'm using GCP for hosting my apps. I have one load balancer pointing to above backend services. I'm trying to use Host and path rules to use both services and it looks like below screenshot.
I would like to access my User management micro service as
dns/user-manager/users
dns/user-manager/user/:id
dns/user-manager/user/roles
and other micro service as
dns/book-manager/books
dns/book-manager/book/:id
dns/book-manager/book/:id/history
but it looks like, it just forwarding above url to particular service directly, so I'm getting 404. And I don't want to add all my routes to load balancer path settings as it will be difficult to maintain. Looking forward to hear some solutions. Thanks in advance.
I understand you want inbound requests to /user-manager/SUB/PATH to be forwarded to user-service and re-written to /SUB/PATH. It sounds like you have got the forwarding to work, but not the rewriting.
Google HTTP/S LB can't do the re-writing for you. You will have to add a reverse-proxy between GCLB and your microservice to rewrite the URLs. For example nginx can do this.
Google now offers URL rewriting which can achieve this.
I have two web-applications, one running on port 8001 and another running on 8002 and another stand-alone auth-application running on 8090.
I want every request to first pass through auth-application:8090 and then this decides whether it should be processed by web-application:8001 or by web-application:8002.
There could be multiple auth-application which could be decided by putting a Load-balancer on top of those and several web-application cluster and the auth-application decides the web-application cluster to forward the request.
By meaning on several web-application cluster, I mean one cluster is built on Java application and another cluster is composed on Django web-application. I want to decide the cluster based on request-header or request parameters.
What is the best away to achieve this?
I could think of using a script to be called in nginx proxy_pass block but am not sure how this could work or even if this would work. There might be some existing implementation for this problem; Might Google / Amazon use this kind of architecture?
Usually authentication flow is initiated from the application (how the auth server should know where do you want to go after the successful auth?), so the flow should be:
1. user reaches app
2. app checks if user is authenticated
3. if no, redirects to auth service
4. let's you in (based on the success of the auth)
So the users should know first of all what app do they want (8001 or 8002). If the two apps are the same then it's a loadbalancer you need but the auth flow still has to be initiated from the app.
How are you doing!
I have a scenario where I need to create an OSB service(which is a mere pass-through service) that will be based on a WSDL that contains 2 ports, each pointing to a different URL. In this case, How do I create the proxy and business services. As I see, when I create the proxy service based on a Port, only one port can be selected at a time, so I'll need 2 OSB Services/proxies. If I select the binding, then the port informaiton won't come from the wsdl into the generated effective proxy wsdl, and it will have only one port, so even in this case, I'll have to generate 2 wsdl's for those 2 ports. Am I right? or Am I missing anything?
Another question on the same scenario
We are storing all the wsdl's in MDS, so need they are abstract(atleast not service/port information). So, in this case, if I make the wsdl as abstract, it will lose the port information, so how do I do? 2 business services, each pointing to a different URL? So even in this case, what about the proxy service? How can a proxy service that exposes one port cater to 2 different services?
Is there anyway that I can achieve this with a single OSB Service? I would prefer the 2nd approach of storing abstract wsdl's in MDS.
Regards
RaviKiran
When you create a Proxy service, you have full control over how that proxy service calls out to business services. In your case, something simple like an Operational Branch would suffice, but really, OSB allows you to control calling out to multiple services. You don't need to provide multiple ports for your proxy service, as you can make all the calls and control from inside.
Regarding your second question, it wouldn't matter if you're using abstract or concrete WSDLs in your OSB configuration for either the Proxy or the Business Services. You define the endpoint you're connecting to. In Business Services, OSB will take your WSDL and call whatever endpoint you tell it to. For a proxy service, the server OSB runs on will dictate what port address it's going to use, outside of the Endpoint URI that you've defined for it.
I would read Oracle's documentation on the Concepts and Architecture for OSB. It covers alot of this background information on implementing proxy and business services, and might point you to the more specific question you want answered. In particular, section 2.2 covers the Proxy and business service abstraction concept pretty well:
Oracle® Fusion Middleware Concepts and Architecture for Oracle Service Bus
11g Release 1 (11.1.1.7)
I need to set up a web service. Server is in DMZ, so I thought about putting web service in IIS (asmx) cos only port 80 is available to comunicate. But information it provides should be secured. What choices do I have when it comes to what .NET / IIS can offer ?
Or maybe I should dispense with asxm web service and switch to something else. But once again, I only have port 80 available.
Thanks,
Pawel
You should checkout WCF
When it comes to securing web services you have to main action paths:
go for communication over HTTPS and leave the web service messages in plain text (no problem since the data is over HTTPS and you can't see inside): transport level security;
go for communication over HTTP but secure the messages of the web service (WS-Security fits this role): message level security.
WS-* specifications are not an easy thing to digest (especialy WS-Security which relies on other specs like WS-Policy, WS-Addressing, XML Signature, XML Encryption etc). But since you say you only have port 80 available for communication I think you don't have a choice (don't even think of implementing your own security mechanism :D).
So, if you have to use WS-Security then go for WCF. You have a bunch of communication mechanism you can choose from and WCF takes a lot of the heavy lifting for you, abstracting away the "bare metal" of SOAP and WS-*.
Within IIS, if you wish to only allow a specific IP address to access the web service, do the following:
Within IIS, right click on the file with asmx extension. Click “Switch to features view”
Click the “IP Address and Domain Restrictions” icon.
Click “Edit Feature Settings”, Select Deny All, Add Allow Entry.
Type in the IP you want the service to access.
We have a web service that is deployed on 2 separate machines in different locations. Is it possible to monitor the url that a person used to call our webservice using java code? We have a 3DNS url set up and we want all clients to use this url as oppossed hitting the boxes directly with the correct port numbers in the url.
Thanks
Damien
Have you taken a look at:
#Resource
WebServiceContext wsContext;
This will return the context of the current message sent to your webservice. I've been able to get the IP address of the user from that.
This is assuming that you are using Java.
You might look into something like OWSM (Oracle Web Services Manager)... there may be open source alternatives.
OWSM creates a virtual endpoint that it handles and routes to the actual service hosts. This way, your service hosts can be hidden behind the firewall, with only the OWSM host visible to the world. When a user hits the virtual endpoint, OWSM can authenticate and pass them along to the balanced service host.
An alternative might be to use servlet filters on the real endpoints. The filter could do a couple of different things. It could simply log the requested URL from the HttpServletRequest, or it could even redirect to the correct URL for you (I'm not sure what the implications of that are for a web service, though).
All you would have to do is have the filter mapped to the same context path as the web service (axis uses /services/* for example).