All geek questions in one place

Secure Java Web Services

I am trying to figure out which framework / API is best suited to implement my web services (Java EE). The data transferred between the client and the web container should be super secure, so I even think about encrypting my data before it even completes in a SOAP message (or in a secure SOAP equivalent), regardless of which security services provides me with the infrastructure.

I see that there is the so-called XWS-Security, but it looks like it is designed to protect obsolete JAX-RPC services. I would like the environment to be compliant with standards (WSS / OASIS, etc.) and neither deprecated nor depreciated (current, compatible with the upcoming version of Java 7, etc.).

Is JAX-WS and JAX-RS safe by default? If not, is there a compatible “secure shell” that can be used to adapt an existing JAX-WS web service to implement a secure framework?

Any thoughts or suggestions are greatly appreciated!

+4
source share
2 answers

You have to do two things: first secure the transport using SSL. If you control clients and the server, then you may need two-way SSL, which will only allow trusted clients to connect.

Secondly, you can implement WS security protocols. Web service security standards tend to deal with three things: authentication, digital signatures, and encoding / decryption (from Spring -WS docs):

Authentication. It is the process of determining whether a principal is what they call themselves. In this context, “master” usually means a user, device, or some other system that can perform an action in your application.

Digital signatures. The digital signature of a message is a piece of information based on both the document and the personal key of the signatory. It is created using a hash function and a private signing function (encryption with the subscriber’s private key).

Encryption and decryption. Encryption is the process of converting data into a form that cannot be read without the appropriate key. It is mainly used to store information hidden from someone for whom it is not intended. Decryption is reverse encryption; It is the process of converting encrypted data back to readable form.

There are several protocols / standards for each of these functions, and there are a number of Java OSS projects that implement various security protocols / standards in a reasonable and convenient way.

In particular, I would look at Sun XWSS and APACHE WSS4J. Spring WS has implementations of both of these APIs, they also describe various components well: http://static.springsource.org/spring-ws/sites/2.0/reference/html/security.html

+3
source

If you just want to protect the content, use transport layer security such as HTTPS. This will automatically encrypt WS request / response and prevent evesdropping and malicious modification.

If you want to do authentication / authorization, you might want to force the caller to sign the request as well.

+5
source

Source: https://habr.com/ru/post/1338094/

More articles:


All Articles