I'm looking at the wordpress XML RPC documentation and it seems that the username and password are required in the plain on every request.
Is there a token based alternative to this to stop this?
An alternative would be to expose the xmlrpc service only over ssl.
Related
I am trying to build an API server for http and started off with djangorestframework and someone suggested using djangorestframework-jwt. However, I saw this from their homepage.
Unlike some more typical uses of JWTs, this module only generates authentication tokens that will verify the user who is requesting one of your DRF protected API resources. The actual request parameters themselves are not included in the JWT claims which means they are not signed and may be tampered with. You should only expose your API endpoints over SSL/TLS to protect against content tampering and certain kinds of replay attacks.
Does djangorestframework-jwt work for http and https? Is it safe? If not, what is the alternative? Is this the approach for authentication in a REST API?
Its http that isn't safe, nothing to do with the authentication method.
Initially, the user has to POST their login credentials. If those are sent via a http connection, anybody in between can read their username and password.
What's more, if you send the JWT token over http, somebody in between may just grab it and re-use it to authenticate their own queries against your API, until the token expires.
Good rule: if any kind of authentication is involved, use https.
I am developing an apple app which talks to a restful PHP web service.
Ideally i want this web service password protected.
What is the best way of achieving this,
Is it better to use a technique similar to OAUTH or is it over kill?
Or is it better to send user password and username in server each command and check its legit before caring out each individual command.
Thanks
It depends on the client. If the client is 3rd party, then it needs an OAuth like solution with access tokens. If the developer of the service and the client is the same, then the basic auth approach is enough. Ofc. you have to use encrypted connection.
I need some clue or direction on how to implement authentication into soap message.
Is it possible to implement authentication by using plain WSDL and Xml Schema ?
When I said plain, I referring to only using WSDL / XML schema, no php, no java annotation, no ruby, no .net, etc.
I know there are standards on WSS, which is SAML / OASIS, but from their documentation (only OASIS, I haven't access SAML documentation yet) they are focus on their specification on soap message, which isn't what i want.
On top of that, I want soap authentication, not http basic authentication.
A WSDL is simply the description of the service. It doesn't implement anything, and certainly doesn't implement authentication.
Also, FYI, there's no such thing as SOAP Authentication.
The recommended approach would be to use the WS-Security standard. The easiest way to achieve a solution would be to use WS-Security Username token policy described here:
https://www.oasis-open.org/committees/download.php/13392/wss-v1.1-spec-pr-UsernameTokenProfile-01.htm
The benefit of using this approach is that your WSDL will include a section that will describe the authentication requirements of the web service. Any clients that generate stubs using the WSDL will then be able to automatically generate code for including username token with the request message.
You can find an example implementation here:
WS Security - Username token Profile
I have deployed webservice in Tomcat using Apache CXF. How would I proceed in securing that web service using OAuth 2.0?
I have gone through the below URL but without finding any suitable solution. A working example or tutorials on how to implement oAuth 2.0 for simple web service?
Original tutorial link:
JAX-RS: OAuth2
I was confronted with the same issue recently. After a decent amount of research, I have found (and this could be limited to me alone) that this is quite complicated.
It is possible to attach the required "authorization header" to a SOAP webservice call in this manner :
Map<String, Object> req_ctx = ((BindingProvider)port).getRequestContext();
req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, WS_URL);
Map<String, List<String>> headers = new HashMap<String, List<String>>();
headers.put("key", Collections.singletonList("yourkey"));
//... all other parameters required.
req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);
The request can then be checked on the server side as such :
MessageContext mctx = wsctx.getMessageContext();
//get detail from request headers
Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
List userList = (List) http_headers.get("key");
//... get other information required here
And thus you can validate the request.
On a side note
It is to note, from my findings, oAuth2 is not very useful for simply securing your API - simply protecting it from outside use.
The reasoning
With oAuth 1, you could use the authentication to validate a user by their key. You knew they were authorized because they have successfully signed the request, and thus you would allow them access to the information.
With oAuth 2, the protocol requires you to use HTTPS. Then why not just use application authentication with your API? I have found oAuth 2 to be very useful to access 3rd party applications with the original set of credentials (the goal of the protocol). But unless you need to do this, there is no need (again IMO) to implement the full oAuth. If you ONLY looking to secure your API, just do it using SSL and a key or username/password combination.
See also:
Application Authentication With JAX-WS
CFX User Guide
How is OAuth 2 different from OAuth 1?
Designing a Secure REST API without oAuth - more useful for general understanding.
I've added a short intro here:
https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+OAuth2#JAX-RSOAuth2-OAuth2tokensandSOAPendpoints
Basically it will work with bearer tokens passed via Authorization headers as is, and can be easily customized to handle WS-Security binary tokens
I have a webapp which has jsps. am not using any struts or mvc framework. We have JAX-RS service build using Apache CXF.
Now i want to do following
Allow user to login with username and password.
For all subsequent calls to webservice, same authentication info should be used.
Logged in user has some details (profile photo, full name), which i want to keep it constant across session.
Also, its role are defined. Based on role(s) only certain jax-rs calls will be allowed.
Roles are also used in JSP to restrict access to functionality.
Web services can be accessed outside so authentication and authorization info should be used.
As far as i understand, We should not use session in jax-rs services. What is the best way to handle above situation ?
The best way depends on how you estimate it.
My way of doing this is to
Run Rest service and JSP on the same instance
Use web.xml and CXF to set up security policy, which allows user/pw authentication and authorization, ROLES binded to both jax-rs urls and JSP urls.
Based on 2, jax-rs services can be called directly outside, but user/pw is required as you specified.
Hope this can help you a bit.
Think cxf security validation as any other http or https validation. you have to intercept the request and pass it to the rest service. You can use any of the tools like siteminder, else can write CXF interceptor to do your own security validation. In the interceptor you can call SSO kind of token generator server in case you have the infrastucture or call the DB if your architecture is built that way. You can use caching to reduce the resource hits and can look at custom or hibernate cache. enabling Https has to be done in server configuration. If you have certificate , you can use the same else you can generate your own using openssl.