Thursday, March 4, 2010

How to become an expert in Web Service security in 30 seconds

First read this:

http://download.oracle.com/docs/cd/E13226_01/workshop/docs81/doc/en/core/index.html

you will learn that there are .WSSE  http://en.wikipedia.org/wiki/Wsse files containing security policies for a WS.

You attach it to the WS with
@jws:ws-security-service
 
You might need a WSSE file also for callbacks (not needed if Synchronous).


Very interesting also this article:

https://www6.software.ibm.com/developerworks/education/ws-understand-web-services4/section2.html

which goes over security.
In a nutshell we need to:
- identify and authenticate the client (security token)
- ensure the integrity of the message (digital signature)
- prevent unauthorized parties from eavedropping our message (encryption)


It turns out that JPD files (WLI) cannot be secured:
http://download.oracle.com/docs/cd/E14981-01/wli/docs1031/bpguide/bpguideCreateApp.html

WS-Security policy (WSSE) files are not supported for business processes (JPDs). Therefore, the following annotations are not supported for JPD files: com.bea.wli.common.WSSecurityCallback and com.bea.wli.common.WSSecurityService.
If you want to use WS-Security, then you must front-end the JPD with a JWS. The client would invoke a JWS using WS-Security, then the JWS would locally invoke the JPD via a Process Control.


If you use the annotation com.bea.wli.common.WSSecurityService you might get an error:
Exception trying to load wsse policy definition error: The document is not a wsSecurityPolicy@http://www.bea.com/2003/03/wsse/config


More info on WS-SecurityPolicy http://en.wikipedia.org/wiki/WS-SecurityPolicy

sample empty policy file:



  xmlns="http://www.bea.com/2003/03/wsse/config"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">



 (see http://www.devarticles.com/c/a/Web-Graphic-Design/Working-with-Web-Services/7/ )



One can secure at web.xml level:
http://download-llnw.oracle.com/docs/cd/E13222_01/wls/docs81/webapp/web_xml.html#1017885


This is a sample security-constraint xml:
http://docs.sun.com/app/docs/doc/819-3669/bncbk?a=view

No comments: