I am having a SOAP web service. I am using Apache Axis2 to generate the Javabean skeleton from WSDL file and i implemented the functionality.Now i am looking to secure the web service using user name token. What is the option available to do that.
Axis2 is extensible by using modules and the security module for Axis2 is called Rampart. You can engage this module to provide the security functionality.
You might find this article useful: UsernameToken Authentication with Rampart
Related
We just started off with BURP for the web application. We use SOAP UI for WS-Security SOAP Web services. We are planning to extend the security testing to SOAP Web services using BURP. Can you kindly provide any directions on how can we achieve this. Thanks
I couldn't find any information on directly accessing the web service requests in BURP. We need to have a proxy(SOAP UI) to intercept the request. Below is the link for additional details.
http://www.fishofprey.com/2013/01/using-burp-suite-to-test-web-service.html
I'm looking for help on how to call WS-Trust secured SOAP service from WSO2 ESB.
The idea is to create a non-secure proxy-service which would call WS-Trust secured back-end service, so our SOAP clients wouldn't have to worry about authentication.
I've been going though the documentation and have found nothing of much value. The documentation mentions that WSO2 ESB uses Apache Rampart and more specifically Rahas module to engage WS-Trust secured services, yet there are no examples on how to configure, for example - security token service address.
So far i've found this blog post http://xacmlinfo.org/2012/11/05/how-to-invoke-secured-backend-service-using-wso2-esb/
It runs a similar scenario but without WS-Trust. It uses Rampart configuration inside WS-Policy files, but Rampart configuration doesn't support any WS-Trust attributes.
I've also found this: http://ask.programmershare.com/279_17604398/
Which is more in line with what i'm looking for, but this example is doing the STS calls programmatically and even then unsuccesfully.
Is anyone aware of any examples of a succesfull configuration to call security token service -> service call itself using WSO2 ESB?
How do I call a WS-Secured SOAP web service implementing oasis standard
I am not sure whether HTTPbuilder can be used to access SOAP based web services. The popular groovy WSlite library can be used to access SOAP web services using basic authentication only.
Is there any groovy library or sample which could be used to access WS-security user name token implemented SOAP web service from groovy?
WS lite can be used to acess ws-secure web service. We have to build the security header and can generate nonce, password digest, time stamp and have then sent in the WSe security header.
I have a webapp which has jsps. am not using any struts or mvc framework. We have JAX-RS service build using Apache CXF.
Now i want to do following
Allow user to login with username and password.
For all subsequent calls to webservice, same authentication info should be used.
Logged in user has some details (profile photo, full name), which i want to keep it constant across session.
Also, its role are defined. Based on role(s) only certain jax-rs calls will be allowed.
Roles are also used in JSP to restrict access to functionality.
Web services can be accessed outside so authentication and authorization info should be used.
As far as i understand, We should not use session in jax-rs services. What is the best way to handle above situation ?
The best way depends on how you estimate it.
My way of doing this is to
Run Rest service and JSP on the same instance
Use web.xml and CXF to set up security policy, which allows user/pw authentication and authorization, ROLES binded to both jax-rs urls and JSP urls.
Based on 2, jax-rs services can be called directly outside, but user/pw is required as you specified.
Hope this can help you a bit.
Think cxf security validation as any other http or https validation. you have to intercept the request and pass it to the rest service. You can use any of the tools like siteminder, else can write CXF interceptor to do your own security validation. In the interceptor you can call SSO kind of token generator server in case you have the infrastucture or call the DB if your architecture is built that way. You can use caching to reduce the resource hits and can look at custom or hibernate cache. enabling Https has to be done in server configuration. If you have certificate , you can use the same else you can generate your own using openssl.
I have written my web services using apache axis2. Now I want to make my web services secure to avoid unauthorized access.
Is there any way in apache axis by which we can redirect each web service request to a particular web service ? so that it will do authentication and on successful authentication it will forward the request to respective web service.
Thanks,
Ajinkya.
you can use Apache Rampart[1] for this. Instead of redirecting to another web service you can use UT (user name token) to authenticate the uses. Using WS-Security is the correct way to secure a web service. This[2] would help you.
If you interested WSO2 AS[3] provides a integrated environment for web service deployment and add security using its GUI. Further since it is based on WSO2 carbon platform you can integrate your user store with WSO2 AS and then authentication is provided out of the box.
[1] http://axis.apache.org/axis2/java/rampart/
[2] http://wso2.org/library/240
[3] http://wso2.org/library/application-server