I have created REST web service in java but need to secure it so that only the authorised clients should be able to access the service. I have never implemented security before. Hence I have no idea where to start to be honest. Do I need to implement any token based security where client need to provide the token in the header of request and I need to verify on my end ?
As RESTful Web Services work with HTTP URL Paths, it is very important to safeguard a RESTful Web Service in the same manner as a website is secured.
For understanding of importance of security consider the following links:
http://howtodoinjava.com/security/restful-web-services-security-guide/
How to secure RESTful web services?
While for Implementation using Spring use the given link:
https://dzone.com/articles/securing-restful-web-service
My Web Service have been implemented in Jersey Framework.
I want to call this web service ( server) from client which I want to implement in restlet framework.
Is it possible ?
Regards,
Nothing stops you from doing that :). Fundamentally, all you do is invoke a HTTP URL by passing some parameters. REST is all about this very basic principal. So under the hood, all the REST client implementations do this. Please go ahead and use whichever REST client you are comfortable with.
My web service was created some time back using IBM JAX-RPC. As a part of enhancement, I need to provide some security to the existing service.
One way is to provide a handler, all the request and response will pass through that handler only. In the request I can implement some authentication rules for each and every application/user accessing it.
Other than this, What are the possible ways for securing it?
I have heard someting called wsse security for web service. Is it possible to implement it for the JAX-RPC? Or it can be implemented only for JAX-WS? Need some helpful inputs on the wsse security so that i can jump learning it.
Other than handler and wsse security, any other possible way to make a service secure?
Please help.
JAX-RPC and Document-Literal are two different ways of creating SOAP webservices. For adding the security, check out OASIS. You have to add the the policy tag and additional layer of encryption to the SOAP message
I am currently using the jaxws and apache CXF framework to create webservices using the top down approach.
I am using the SOAP interceptors to add remove SOAP header elements, using SAAJ, before the message gets to the container, and the container maps the SOAP action too the java method. I am doing this to create Security Token Services (STS) to facilitate a lite implementation of the SAML2 Profile - converting authentication details into portable identities (SAML Authentication Assertions).
I cannot help think there must be an easier way to do this. Is there a framework that will allow me to manipulate the message with more ease? and if so a tutorial would help.
Many thanks
To change things in SOAP messages you must use SOAP Handlers.
Maybe easier way to do it is changing the way you are securing your web service, if you use a WS-Security way of doing things, our container will work with it fine, and you don't need the handlers anymore.
Basically I need webservice where client can request with id one boolean value from our webservice. What technology would be most suitable for this small API? Of course it is possible that there will be more functions to interface, but now we need only one function. It also needs to have authentication, so that only auhtorized clients can access service. And every client have different auth credientials.
What would be good technology for this purpose?
I am using resteasy to build my webservices and it is pretty easy to use ... just need to use annotations on my methods to deliver the webservices.
Here is a comparison of different JAX-RS frameworks. Take a look at it
First of all: authentication and authorization. Don't do it yourself, pick an app server or servlet container and configure it to do the job.
For the web service....
The simplest thing to do it just implement a servlet that responds to a POST (not a GET if request modifies internal state) and returns the result in the body. This way you don't need any frames works, no learning to do (if you already know servlets). The downside is it won't scale as you add more features, and your not using enough buzz words.
If you want a SOAP based webservice, then look at JAX-WS. Now that it's backed into java 6 it's pretty easy.
At the simplest level JAX-WS lets you put a few annotations on your class, like #WebService, and it auto generates a wsdl and exposes an instance of your class via the web service.
There is plenty of documenation out around how to do it:
http://java.sun.com/webservices/docs/2.0/tutorial/doc/
http://www.java-tips.org/java-ee-tips/java-api-for-xml-web-services/developing-web-services-using-j.html
http://cwiki.apache.org/GMOxDOC20/simple-web-service-with-jax-ws.html
JAX-WS + any servlet container (Tomcat is usual choice)
#WebService(targetNamespace = "http://affinity.foo.com", name="RewardsStatus")
#SOAPBinding(style=SOAPBinding.Style.RPC, use=SOAPBinding.Use.LITERAL)
public interface RewardsStatusIF {
#WebMethod(operationName="GetLastNotificationDate", action="urn:GetLastNotificationDate")
#WebResult(name="return")
public Date getLastNotificationDate() throws AffinityException;
...
Actually, you don't even need a servlet container. JAX-WS has a way to run the service under a standalone Java application. It has some limitations (I have failed to make a stateful service work), but it's
very simple to create.
Given that you tagged your question as "Java", I suggest Jetty. It is a very good small servlet engine. It has support for sessions, so adding authentication should not be a problem.
If you are using Java 6, there is already a HTTP Server builtin, it supports Http authentication. That's all you need. Check out,
com.sun.net.httpserver
You could use some restful framework like jersey.
An alternative to SOAP-based web services with JAX-WS would be JAX-RS (for RESTful web services).
We have a lot of scenarios on our project where we want small amounts of data available via simple HTTP URLs while the app is running and in my experience, Restlet (http://www.restlet.org/) seems to be one of the easiest things available for setting up simple "web-service"-like interfaces (RESTful interfaces) within Java apps.