I am implementing a Spring WS in NetBeans IDE and JDK1.6. The Spring-WS version is 2.0.4. Though I have implemented the provider by going through the tutorial on Spring site but I am unable to implement the security features. Can anybody explain the overall security framework in WebServices like where are the certificates placed on the server and how the request is validated against them. Also the spring site doesnt contains enough info about the terms like keystores, certificates, trusted stores. Can anybody explain how are these related to Spring WS and how can they be created and used ? I am just getting more and more confused ?
I implemented Spring WSS few weeks ago and all the information you need can be found in this link. There, you can find information about certificates and keystores but you should look for in other place if you need more information about as Spring WSS just uses certificates for signing and validating the messages.
Particulary, for signing a message you need to create a interceptor as it is described here. Once your interceptor is ready, you can add it to the ingoing messages or to the outgoing
Also, I recommend you to debug your SOAP messages as it is described here to see what is going on with your messages.
Related
I have a Jersey based server that I want to secure with OAuth 2.0. There are two paths that I've seen as common:
Oltu - Is compatible with Jersey and seems to be supported, although not as well as Spring Security. This 2012 question seems to suggest this is the way to go, but I want confirmation on a 2016 context so I son't implement something not as well supported anymore.
Spring Security - It seems to be very popular, but this path implies changing the server into a Spring based MVC. I don't know if that is something recommendable based on the benefits of using something as widely supported as Spring and the cost of the refactoring.
With support I mean a project that is in continous development, well established community with tutorials, materials and some libraries for clients (web, mobile, server) already available.
Which one is a stronger option? Is there another option or options?
In any case. Is there a good reference material or tutorial to start implementing this?
UPDATE
After few hours of reading and understanding about both the OAuth Providers I had mentioned, I feel Apache Oltu's documentation did not guide me much as there are key components that aren't documented yet, but an example gave me a better picture on how Oltu must be implemented. On the other hand, going through Spring Security's material I got to know that it can still be built on a non-Spring MVC based java project. But there is a limited exposure of implementations/tutorials on Spring Security on a non-Spring based project.
Another approach:
I came up with an architecture that might be more stable and would not care about the implementation details of the inner server(the one already implemented using Jersey). Having a server that is dedicated for security purpose (authorizing, authenticating, storing tokens in its own database, etc) in the middle that acts like a gateway between the outside world and the inner server. It essentially acts a relay and routes the calls, back and forth and ensures that the client knows nothing about the inner server and both the entities communicate with the security server only. I feel this would be the path to move forward as
Replacing with another security provider just means plugging out the security server implemetation and adding the new one.
The security server cares nothing about the inner server implementation and the calls would still follow the RESTful standards.
I appreciate your suggestions or feedbacks on this approach.
Apache Oltu supports OpenID Connect but its architecture is bad. For example, OpenIdConnectResponse should not be a descendant of OAuthAccessTokenResponse because an OpenID Connect response does not always contain an access token. In addition, the library weirdly contains a GitHub-specific class, GitHubTokenResponse.
Spring Security is famous, but I'm afraid it will never be able to support OpenID Connect. See Issue 619 about the big hurdle for OpenID Connect support.
java-oauth-server and java-resource-server are good examples of Jersey + OAuth 2.0, but they use a commercial backend service, Authlete. (I'm the author of them.)
OpenAM, MITREid Connect, Gluu, Connect2id, and other OAuth 2.0 + OpenID Connect solutions are listed in Libraries, Products, and Tools page of OpenID Foundation.
**UPDATE** for the update of the question
RFC 6749 (The OAuth 2.0 Authorization Framework) distinguishes an authorization server from a resource server. In short, an authorization server is a server that issues an access token, and a resource server is a server that responds to requests which come along with an access token.
For a resource server, API Gateway is one of the recent design patterns. Amazon, CA Technologies, IBM, Oracle and other companies provide API Gateway solutions. API Gateway architecture may be close to your idea. Some API Gateway solutions verify access tokens in their own ways (because the solutions issue access tokens by themselves) and other solutions just delegate access token verification to an external server (because the solutions don't have a mechanism to issue access tokens). For example, Amazon API Gateway is an example that delegates access token verification to an external server, which Amazon has named custom authorizer. See the following for further information about custom authorizer.
Introducing custom authorizers in Amazon API Gateway (AWS Blog)
Enable Amazon API Gateway Custom Authorization (AWS Document)
Amazon API Gateway Custom Authorizer + OAuth (Authlete article)
If an authorization server provides an introspection API (such as RFC 7662) that you can use query information about an access token, your resource server implementation may be able to replace (plug-out and add) an authorization server to refer to comparatively easily.
For an athorization server, gateway-style solutions are rare. It's because such a solution must expose all the functionalities required to implement an authorization server as Web APIs. Authlete is such a solution but I don't know others.
I think, it's far simplier to use the oauth connectors that are implemented inside jersey itself!
Have you considered using jersey own OAuth (already linked inside jersey) server / client ?
https://eclipse-ee4j.github.io/jersey.github.io/documentation/latest/security.html#d0e13146
Please take a look to :
16.3.2. OAuth 2 Support
hope helped. :)
Is there a Java provider implementation of the OAuth's Resource Owner Password flow or a library to include in my project?
I have read that Spring Security provides those libraries with a server or provider implementation, can I only include those Spring libraries to my standard Java EE project without using the full Spring stack?
Could it be possible or reasonable to implement the OAuth provider and client for that flow following the RFC?
The UAA project uses Spring Security's OAuth provider to implement a full OAuth2 authorization server (including resource owner grant). Why not use that?
You can't "only include those Spring libraries to my standard Java EE project" without using Spring. It's not really clear from your question how you would expect that to work. Where would the authorization server be implemented, for example?
It's certainly possible to implement the OAuth2 provider yourself, especially if you are only using part of the spec, but it's not trivial and probably not "reasonable" if it is just incidental to your main application development.
You will still need to consider how to protect your resource servers when they are accessed by an application which has obtained a token from the authorization server. In other words, they need to be able to check and understand the token that is issued and make an access decision based on it.
I am creating a web service using IBM JAX-RPC/JAX-WS. I am trying to implement the wsse security but not able to figure out the exact steps for achieving the same. I will be using RSA 7.5 and Websphere 7 for this web service.
Reading the documentation, I was totally lost since I am new to it and don't have any idea about the same.
Can someone list me the steps for how to implement the wsse security for the web service?
I have been struggling on this since past few days.
EDIT
I want the authentication to be done in the header, it should look something like this:
<header>
<authenticationInfo>
<userID></userID>
<password></password>
</authenticationInfo>
</header>
Other than using the handler and altering the header content, is there some other way to achieve the same?
For web services (SOAP based), the security part is generally handled by web services handlers. Handlers are applicable for both the client and server side. For typical security use case,
On client side, the handlers intercept the request before being send to server and inserts a security header in the SOAP message.
On server side, the handlers intercept the request and check for the SOAP request contains appropriate security headers. This happens before it handled by request handlers.
Here is a nice link on WS security in general I came across. Its not IBM or java specific but an informative read nevertheless.
To answer you question for step by step guide, I could not find any standard RSA 7.5 specific articles but since JAX-RPC is standard specification, it should be same. Here is once such example (Part1,Part2)
WebSphere has built-in support for WS-Security. See http://publib.boulder.ibm.com/infocenter/radhelp/v7r5/topic/com.ibm.webservice.wsfp.doc/topics/csecurews.html.
I see the following link that explains how rest api needs to be secured. (Using public key and a HMAC(hash) of request parameters and private key).
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
I also see this link in stackoverflow which talks about rest api security using spring
combining spring security 3 with jersey rest api
I see this link in oracle weblogic website that talks about restful api security using web.xml or security context etc
http://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm
Are these approaches distinct or related? I also couldn't find any code that actually does handshake etc. I am totally confused. Please help.
Second and third approaches are related in that they secure the web context for certain users, groups or roles.
First approach talks about encrypting URL parameters so that sensitive request parameters sent through GET method are protected.
Both of the above are independent and are needed for different reasons. (message level security vs access control).
I have webservice (server-side) implemented using axis2 in my project. We want to enable WS-security in the existing web services. We are evaluating if apache ramapart module fits our need. Here is our requirement:
Basically we have in-house security framework which provides encryption,signature and token generation capabilites. Our in-house security framework basically requires a set of configurations in form of XML and it expose various APIs to do various security operations.
Now with above environment, I can think of three possbile solutions:-
I can develop an axis2 module around in-house security framework and install it as .mar file in security phase. So I will not use apache rampart. But issue with this approach is I can't use ws-security policy to specify security assertions and making sure incoming security tokens conforms to effective policy. It is like reinventing wheel what rampart already doing.
I believe apache rampart underlines call to apache wss4j module for security operations. I believe apache wss4j module provides a way to register 3rd party security provider (by implemeting CryptoProvider interface). I am not sure if this is feasible and viable solution. Please suggest.
Ws-security policy allows to use a custom token. This custom token can be built up using our in-house security framework. So basically it enables us to create ws-security policy using apache rampart module and have custom token developed using our security framework. But I could not find help regarding this on internet. Could anyone please help with example.
any other suggestions are also most welcome.
I've posted an answer here: How to encrypt SOAP messages manually?
There is a very detailed example there that you might find useful.
you can set the provider by using :
cryptoConfig.setProvider(PROVIDER);
Regarding the custom security headers, I'm sorry but I didn't try it so I can't help you there.