Authorization/Licensing of Webservice - web-services

I have developed a web service which accepts the login credentials from the XML message passed to it. I have concerns over this method as the developer who consumes the service can easily share the login credentials and my service can be called from some other application that uses the same credentials.
Is there any way that I can issue a 'license' to some specific applications? So that, even if credentials are shared among the consuming apps, only authorized ones can successfully consume the service.
P.S: I thought about implementing IP restrictions but that doesn't serve the purpose as we may have different applications installed on a same server (we do have such a scenario implemented).

Did you look into having security certificates installed on the client machines. Verisign and other companies like it issue certificates that your client will need to install on there calling machine.
This of course comes for a fee!

Related

How to implement Kerberos authentication (username and password required) to a java based REST service in a Windows 7 Enterprise PC?

I have developed a REST web service using JAX-RS, hosted on Apache Tomcat server. I used Eclipse for developing this and hosted on a Windows 7 Enterprise machine. Now I need to provide Kerberos Authentication to access my service from any client (for example SoapUI). I have tried to get information from many sites but, all I get is configurations on linux machines.
I'm a newbie to the security concepts and authentication mechanisms and architectures, I would appreciate a good detailed explanation.
Here is a good description of how to integrate Tomcat with Windows authentication:
https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
Please note that there might be 2 separate things you might want, I'm not sure which one you are looking for.
Authenticate transparently with the Kerberos tickets the user already has.
Authenticate with username+password always, using MS AD to check them.
The first is always transparent, meaning the user does not have to enter username+password again. In the second one she obviously has to.
If you are looking for other services (like SoapUI) to access your services with Kerberos tickets, then those services would need to get a ticket themselves. If you just want those services to use username+password (instead of Kerberos), then you don't need a ticket of course.
Edit after clarification: Using username+password from a windows domain actually does not involve Kerberos at all. It is using LDAP to authenticate, which maps to JNDI in Java. There is a JNDIRealm in Tomcat to set it up, described here:
https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm

How to prevent a web app from calling System.exit() in WSO2?

WSO2 folks,
I'm looking at WSO2 Application Server, and I created a web app to invoke System.exit(), which brings down the whole app server. I'm asking because the apps from multiple tenants could be running on the same Application Server, and we need to prevent a malicous tenant from killing the whole JVM.
My first thought was to use a SecurityManager to restrict the access, but I'm not sure where should I set the SecurityManager, and how should I code the SecurityManager to ensure a secure app server.
Is SecurityManager the correct approach, or is there some other way to accomplish my requirement?
It has been protected using Java Security Manager and system is configured with policies ,which do not allow such calls.

how to publish and discover a java web service

I am new to developing web services using java. I have an academic project where I need to do dynamic service composition. For that I can't directly create a service-client for a particular service because if I do so then that client will call that particular service only. Client need to search various web services and then out of those services select any one at run time and also call that service at run time.
I was able to develop the web service(JAX-WS) using Eclipse(indigo), I also created the client for that web service and every thing is working fine. Now my problem is that while creating the client I am hard coding the client to call that particular web service only(since I am creating the client using the WSDL file of the service). However I actually need to call any one of the searched service, but for that I need to publish the service some where then discover it and then call it.
I tried publishing the service to juddiv3. But on juddiv3 I could only publish the sample service supplied with the juddiv3. When I try to publish service created by me then it is not getting displayed in the group of published services.
Is there any other UDDI server which I could install on my local machine and then publish and discover the service from that. Also I was not able to figure out how to create a client that will modify itself at run time to call any one service out of various searched services.
Kindly provide the necessary steps and code.
Thanks
You can use jUDDI (http://juddi.apache.org/ ).
juddi is based on UDDI v2.0, v 3.0 .
Here, you can publish as well as discover your web service.
For integration, you have to make some application which integrates with jUDDI.
But I think for your academic project, and for your purpose, jUDDI is best suitable! ( :) )
jUDDI has a boat load of examples in the source code trunk. You may want to check them out. It's difficult to guess what the problem is from the little information you've provided. Consider contacting the jUDDI team for further assistance. http://svn.apache.org/repos/asf/juddi/trunk/juddi-examples/. There's also additional document for working with UDDI in the jUDDI user's guide, which is at the jUDDI web site
You cannot directly publish on jUDDI. You need to create publisher entities in jUDDI server also. You'll find Rename4Sales and Rename4Marketing examples in 'Classes' folder in the standalone server's juddi application. Use these XMLs as your basis and create your own entity. You also need to configure the server's login credentials.
I suggest you follow the tutorials on jUDDI blog.

How to handle client authentication for secure web service in Delphi?

I have a SharePoint server running on my network and I am trying to build an app in Delphi which allows me to access the various SharePoint Web Services hosted there.
Running my app on the same network as the SharePoint server works fine, however, when I attempt to run it on a VM which is not part of the same Domain I can't get authenticated. I was looking for some advice as to how I should be handling authentication for this type of scenario, more specifically, should I be prompting the user for their credentials or is there some built in security model I can use for this?
Ideally I would like to try avoid dealing with Usernames & Passwords in my app and let the OS handle that sort of thing, however, at the moment I can't seem to see any other way around this.
After some investigation, for my particular scenario I decided that the best approach would be to use WinINet. I chose this approach over Indy because after some thorough investigation I found Indy did have some bugs & also it didn't have all the authentication handling we needed built in.
WinINet supports prompting for credentials & automatically authenticating across the wire. See Handling Authentication.

Does A Web Service Have To Be Registered?

I'm learning about web services and most of the resources I've been reading talk about registering your web service once it's ready for use by others. Is registering a web service required to use the service?
For example, let's say I have a web application on a company intranet and I create another web service app that retrieves some sort of useful information to be displayed on this private intranet site. Would this new web service require being registered just so my web app can use it or can the web app simply interface directly to the new web service (following the WSDL file) without the need of some sort of UDDI registry?
You can certainly use the service without the UDDI registry.
I have created several Web Services and have immediately used them without registering them. Registration gives others confidence that your Web Service is legitimate and descriptions of how to interact with those services.
Imagine doing development where you have to register any Web Service before using it. Yikes!
No, not at all.
You are probably talking about API directories you may register your WS at. Like UDDI or what it’s named. Entirely optional.
Nobody uses UDDI anymore. It's an idea whose time has come and gone.
It was thought that there would be public registries of web services that everyone would use to find a web service to meet their needs. That never happened.
How could either the service or the app know whether or not the service was registered?
Furthermore, why would they care?
If you're trying to use service orientation the right way, your web services should be registered within a service registry. The registry should contain the published contract of the services and any meta-data that helps the discovery process.
A different questions is: does a service consumer program need to look up a registry and dynamically bind the service it needs to call? NO, NOT AT ALL.
But then, what discovery process am I talking about?
I'm referring to a human (developer, architect, etc.) who is designing/developing a program that needs to call a service. This person should have means to search what services are available in his/her organization. If not, the benefit of reusing services is compromised.
Discovery is also about humans finding out there's a service somewhere in the IT organization that offers the functionality they want.
In this case, the registry can be as simple as an html report that is created and updated manually or generated by parsing (xslt comes handy) the wsdl files.