I am new to web service, I am done with a web service and created a client based on wsdl of that web service. How can I implement security to the web service so that it will be secured or authenticate?
I googled and got: to add policy annotation in my web service class which will have the name of my associating policy file name. What is this associating policy file or .xml file and how it can be done?
please help
For this you need to use rampart module provided by apache foundation. Therre is something called UsernameToken that you can implement, so that when a a client tries to access the webservice, he needs to provide the user name and password in the password callback method. In the server side also, the password callback method is going to be invoked. There we can verify the received user name and password, and depending on its success or failure, you can either allow the web service to be invoked or throw an exception specifying the reason of failure. It's quite easy. You first download rampart module from apache foundation, and then study the samples given in that archive file.
Best Of Luck
Related
I have a web reporting tool lets say Business Objects, Cognos, OBIEE, Crystal Reports. I want to display some data into the report which is coming from a Web Service. So i copy paste the Web service URL inside the report cell and i can access the data.
However this leaves a big security issue as i cannot authenticate the requestor. One thing which i can think of is checking the Http header request: referer property which is set by the reporting tool in my Web Service. This atleast ensures that the request has originated from my Reporting Application. Besides this i cannot see how i can authenticate a specific user.
Appending Username in the Web Service URL is also not an option because one report is used by many users. I would somehow want to access this specific user session and associate the web service request with this user session. Lets say both my Web Reporting tool and web service are running on the same Web Application Server. Is it possible to merge the Web Service Provider and my Reporting Application so that the session user name is available in the WebService ?
I'm very novice when it comes to web applications and ASP.
Recently, I've been experimenting with the Microsoft Sync Toolkit to synchronize databases over a OData web service.
The obvious question here is: Once the service is set up and published - so it is open for anyone knowing the URL - how to prevent unauthorized users from accessing this service.
Please note: Basic authentication of forms authentication - as far my little web development knowledge reaches - doesn't seem to be appropriate for this task, as it's not a web page that the client is trying to reach - where the page can display / or re-direct a logon request - it's a service that we are accessing here.
To make things more difficult, for the client-side syncing I'm using a 3rd party library/sync-provider that only accepts a URL for the service. So, there's no way (I think) I can experiment with incorporating login credentials inside a request header etc.
I assume the best bet would be embedding the login credentials inside the URL and use that for the 3rd party library.
Can somebody please direct me how to to set up such thing on the server? I would prefer to have somehow somewhere in the server-side code a place where I can check for the credentials and based upon it to proceed or abort (return 401) the service request.
I could not find any place where to hook such code into the sync service. Although somebody in MSDN suggested to handle the _OnBeginSyncRequest event, there is no way to access the web-request header from within that method.
Is there by-any-chance a global object accessible from everywhere from which I can access the request header? Could anyone please help with this?
And last, I would prefer a plain User / Password string pair. It should not necessarily (or rather not) have anything to do with windows or directory accounts. I would prefer in my code to simple check against plain strings, such if(userStr == "Authenticated user" && passwordStr == "Correct Password").
if you are using SOAP web service, you can use WS-Security usernametoken which adds your user name and password to the request header, otherwise you can add username and password as parameters in your webservice and then simply validate it on the server side. i.e.
instead of
bool SyncData(datatable)
it becomes
bool SyncData(datatable, username, password)
note for web service you will authenticate per call, if you want to do it per session, you need first login with username password, retrieves a token than on each subsequent call your service with the token.
You would also use SSL to secure the channel so username and password aren't transmitted as plain text.
I have a webapp which has jsps. am not using any struts or mvc framework. We have JAX-RS service build using Apache CXF.
Now i want to do following
Allow user to login with username and password.
For all subsequent calls to webservice, same authentication info should be used.
Logged in user has some details (profile photo, full name), which i want to keep it constant across session.
Also, its role are defined. Based on role(s) only certain jax-rs calls will be allowed.
Roles are also used in JSP to restrict access to functionality.
Web services can be accessed outside so authentication and authorization info should be used.
As far as i understand, We should not use session in jax-rs services. What is the best way to handle above situation ?
The best way depends on how you estimate it.
My way of doing this is to
Run Rest service and JSP on the same instance
Use web.xml and CXF to set up security policy, which allows user/pw authentication and authorization, ROLES binded to both jax-rs urls and JSP urls.
Based on 2, jax-rs services can be called directly outside, but user/pw is required as you specified.
Hope this can help you a bit.
Think cxf security validation as any other http or https validation. you have to intercept the request and pass it to the rest service. You can use any of the tools like siteminder, else can write CXF interceptor to do your own security validation. In the interceptor you can call SSO kind of token generator server in case you have the infrastucture or call the DB if your architecture is built that way. You can use caching to reduce the resource hits and can look at custom or hibernate cache. enabling Https has to be done in server configuration. If you have certificate , you can use the same else you can generate your own using openssl.
I am implementing a Java EE based Hospital Management System that has a web service and two clients are to be connected to it, a Java Swing App and a JSP-based web project. The web service is to be implemented using Stateless EJBs.
Please suggest a way of implementing authentication and login for both clients (Users are taken from database-DB2)
NB: This has to be submitted as a project so server(Websphere) based authentication should be avoided as much as possible. Could not find any resource corresponding to this scenario..
I suppose that users will authenticate to both applications with username (and password). If you don't need user authorization on the service side, you can just create username/password combination for each client and store it in web service configuration file. In that case i would suggest message level security for clients.
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Ftwbs_securews.html
In case you need user authorization on service side, you can still rely upon message level security but proceed users credentials instead.
Here are also some examples which might be helpful:
http://www.mkyong.com/webservices/jax-ws/application-authentication-with-jax-ws/
http://www.ibm.com/developerworks/websphere/tutorials/0905_griffith/section7.html
i have an webservive written where any user hit the url can acces the webservice.now i need to set username and password for the webservice so that before accessing the webservice they need to provide the user credentials only valid user would be allowed to access the webservice
how can i achive this functionality. is there any setting tat i need to do
any help would be great
thank you
one way of imposing security to access your web service is to use HTTP security... this can be done at the level of of the web site, of the web server, hosting the web service. for example, IIS virtual directory's properties has the security tab that you can use either basic security or plain text or integrated windows security. this way you will protect the whole web site