Security with Java Web Services

Question

Security with Java Web Services

We have a client who calls our web services. How can we make sure that this is only a client application that calls a web service, and not a client created by someone else that calls our web services.

We would like to avoid hard-coding the password in the application.

+4

java java-ee security web-services

user489041 Feb 28 '11 at 17:55

source share

3 answers

affablebloke · Answer 1 · 2011-02-28T18:08:43+0000

A quick answer to your question will be to take a peek at OAuth. Implementing OAuth correctly is a process, so I would read the protocol in the documentation. Here is a link to an example of OAuth client libraries . I would also like to find StackOverflow for recommendations on OAuth implementations.

Peter Hulsen · Answer 2 · 2011-03-01T13:28:18+0000

In this case, you can use two-way OAuth . This is a variant of the standard OAuth and is used by companies such as SimpleGeo . Then secure the connection with https and you have a reliable solution.

Mike samuel · Answer 3 · 2011-02-28T22:38:17+0000

If you don’t care that the clients do not work in the browser, you can use XSRF tokens, a secret session associated with a session key in your backend or in a round-robin way using two separate paths, both through hidden form input and a cookie through secure channel. If you cannot protect the channel, you must make the tokens one-time. See http://www.cgisecurity.com/csrf-faq.html#protectapp

You cannot in the general case. A smart intelligent hacker can probably recycle any protocol you use and extract any secrets that you insert into the source code.

Security with Java Web Services

More articles: