Securing a Web Service



Similar documents
Recommended readings. Lecture 11 - Securing Web. Applications. Security. Declarative Security

Application Security

Web Application Architecture (based J2EE 1.4 Tutorial)

Keycloak SAML Client Adapter Reference Guide

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Security Policy Revision Date: 23 April 2009

Using etoken for SSL Web Authentication. SSL V3.0 Overview

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

Configuring BEA WebLogic Server for Web Authentication with SAS 9.2 Web Applications

Supplement IV.E: Tutorial for Tomcat. For Introduction to Java Programming By Y. Daniel Liang

TypingMaster Intra. LDAP / Active Directory Installation. Technical White Paper (2009-9)

PicketLink Federation User Guide 1.0.0

Is your data safe out there? -A white Paper on Online Security

Controlling Web Application Behavior

Overview. SSL Cryptography Overview CHAPTER 1

Angel Dichev RIG, SAP Labs

Cornerstones of Security

SSL/TLS: The Ugly Truth

Web Application Programmer's Guide

GT 6.0 GSI C Security: Key Concepts

QLIKVIEW MOBILE SECURITY

Understanding Digital Certificates and Secure Sockets Layer (SSL)

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Transition Networks White Paper. Network Security. Why Authentication Matters YOUR NETWORK. OUR CONNECTION.

Configuring the JBoss Application Server for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

Using Voltage Secur

Development of Object-Oriented Analysis and Design Methodology for Secure Web Applications

Security: Focus of Control. Authentication

An Introduction to Application Security in J2EE Environments

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Internet Programming. Security

Enabling SSL and Client Certificates on the SAP J2EE Engine

Client SSL Integration Guide

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Web Security: Encryption & Authentication

Security Digital Certificate Manager

Network Security Protocols

SSC - Web applications and development Introduction and Java Servlet (II)

Websense Content Gateway HTTPS Configuration

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

Securing your Online Data Transfer with SSL

Authentication and Single Sign On

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Chapter 7 Managing Users, Authentication, and Certificates

The Case For Secure

Using etoken for Securing s Using Outlook and Outlook Express

CTS2134 Introduction to Networking. Module Network Security

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Centers for Disease Control and Prevention, Public Health Information Network Messaging System (PHINMS)


Quickstream Connectivity Options

WebNow Single Sign-On Solutions

Security Digital Certificate Manager

Generating and Installing SSL Certificates on the Cisco ISA500

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Key Management (Distribution and Certification) (1)

Setting Up SSL on IIS6 for MEGA Advisor

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

StreamServe Encryption and Authentication

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

CORISECIO. Quick Installation Guide Open XML Gateway

Java Web Programming. Student Workbook

Chapter 17. Transport-Level Security

How To Protect Your Computer From Being Hacked On A J2Ee Application (J2Ee) On A Pc Or Macbook Or Macintosh (Jvee) On An Ipo (J 2Ee) (Jpe) On Pc Or

How to set up Outlook Anywhere on your home system

JVA-122. Secure Java Web Development

Lecture 9: Application of Cryptography

Group Management Server User Guide

Properties of Secure Network Communication

Apache Roller, Acegi Security and Single Sign-on

Owner of the content within this article is Written by Marc Grote

Chapter 10. Cloud Security Mechanisms

Guide. - How to setup secure communication for REST services in Automatisk kortbetaling. Revision 1.3. Nets A/S. Lautrupbjerg 10.

What is an SSL Certificate?

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Agenda. How to configure

How to Configure Captive Portal

Oracle Service Bus Behind the Firewall in a Service-Oriented Architecture. An Oracle White Paper Updated October 2008

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Oracle WebLogic Server

Ciphermail Gateway PDF Encryption Setup Guide

Savitribai Phule Pune University

Public Key Infrastructure

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Business Internet service from Bell User Guide

A detailed walk through a CAS authentication

Transcription:

1 Securing a Web Service HTTP Basic Authentication and HTTPS/SSL Authentication and Encryption - Read Chaper 32 of the J2EE Tutorial -

protected session, described later in this chapter, which ensur content is encrypted. 2 HTTP Basic Authentication web server authenticates a client FIGURE A-1 HTTP Basic Authentication Login Page username and password To implement HTTP basic authentication, you carry out these! Set the web service s Authentication property in the IDE! Associate roles with the web service in the IDE! Define users (principals) and user groups in the application! Map users or groups to the roles in the application server o The procedures for carrying out these tasks are described in Authentication on page 194. This security mechanism applies to the entire web service and password may be intercepted while traveling over the network Secure Socet Layer (SSL) encryption 190 Building Web Services June 2003 may be used to overcome this limitation Note The IDE uses a variation of HTTP basic authentication generated client creates the login screen, and the user passwo client proxy, which in turn passes it to the web service s appli

Implemeting HTTP 3 Basic Authetication set web service s authentication property whithin IDE (app. server property) define roles like admin and user define users and user groups map the role names to users and groups generate a client to access the secured web service a login screen is presented to the client

4 HTTPS/SSL Authentication and Encryption SSL (secure socket layer) provides: data encryption server authentication message integrity two fundamental problems of security for networked applications can be solved by SSL: - passwords can be intercepted - identity of a sender or recipient can be faked and optional client authentication

5 Public Key Encryption client or server is in possession of a two-part key: a public key and a private key the private key must be kept secret the public key is made known to all interesting parties keys are related mathematically and have the following properties: a message encrypted with the public key can be decrypted by the private key a message encrypted by the private key can be decrypted by the public key it is computationally impractical to deduce the private key from the public key

6 Features if I encrypt with your public key, only you can decrypt it message can not be read by others if modified by others, message will be garbled encrypting a message with my private key is like signing it (digital signature): everyone knows, that only I can have encrypted it by decrypting it with my public key it must be made shure, that the public key really belongs to me this is done by public key certificates issued by trusted organizations, called certificate authorities (CA)

7 Public Key Certificates certificate specifies the name of the owner and attests that the public key, included in the certificate, belongs to that owner includes an expiration date, name of CA, and digital signature of CA its public key must be known without doubt - how?

Public Key 8 Certificates (2) SSL enabled client or server has a database called a trust store contains trusted certificates certificates conform to the X.509 Public Key Infrastructure (PKI) commercial or private CAs, e.g.: Verisign: http://digitalid.verisign.com Digital Signatures: http:://www.digitrust.com

SSL Handshaking 9 1. The client sends an initial packet to the server containing information such as encryption algorithms that it can use. 2. The server sends a packet to the client containing information such as encryption algorithms that it can use and a copy of its certificate. 3. The client validates the server certificate. The validation process uses the client s trust store. See Public Key Certificates. 4. The client generates a random session key and encrypts the session key with the server s public key, obtained from the server s certificate. The session key is temporary for the duration of the SSL connection. The session key is processed by traditional, two-way encryption-decryption algorithms, and must be known to both parties in the exchange. 5. The client sends the encrypted session key to the server. Only the server can decrypt the session key, using the server s private key. Now the client and the server both have the session key. They use this key to encrypt and decrypt data for the remainder of the session. This technique solves two problems: The client in this scenario does not own a certificate. Therefore public key encryption by itself cannot be used by the two parties to send data in both directions. The session key is also needed. Public key encryption is computationally intensive. It is much more efficient for SSL to apply public key encryption only during the initial handshaking, for verifying a certificate s digital signature and for safe transmission of the generated session key to the server.

10 Securing a Web Application Every Web Service or - more general - Web Application uses a standard Deployment Descriptor a file named web.xml describes elements and configuration information of a web application see Tomcat documentation for details

11 Security Elements inside web.xml, the following elements define security <security-role> as defined in Tomcat s config. file tomcat_users.xml; e.g. admin, manager <security-constraint> maps security roles to web resources using URL mapping <login-config> specifies how the user is prompted to log in

<?xml version="1.0"encoding="iso-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version=?2.4?> <display-name>a Secure Application</display-name> <servlet> <servlet-name>catalog</servlet-name> <servlet-class>com.mycorp.catalogservlet </servlet-class> <init-param> <param-name>catalog</param-name> <param-value>spring</param-value> </init-param> <security-role-ref> <role-name>mgr</role-name> <!--role name used in code --> <role-link>manager</role-link> </security-role-ref> </servlet> <security-role> <role-name>manager</role-name> </security-role> <servlet-mapping> <servlet-name>catalog</servlet-name> <url-pattern>/catalog/*</url-pattern> </servlet-mapping> use SSL Example web.xml <!-- SECURITY CONSTRAINT --> <security-constraint> <web-resource-collection> <web-resource-name>salesinfo</web-resource-name> <url-pattern>/salesinfo/*</url-pattern> <http-method>get</http-method> <http-method>post</http-method> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>confidential </transport-guarantee> </user-data-constraint> </security-constraint> 12 request username and password <!-- LOGIN AUTHENTICATION --> <login-config> <auth-method>basic</auth-method> </login-config> <!-- SECURITY ROLES --> <security-role> <role-name>manager</role-name> </security-role> </web-app>

Basic Authetication 13 with JAX-RPC web client must send username and password steps: add security elements to web.xml define users and their security roles in the tomcat installation modify client code to set security properties - see chapter 32 of the J2EE tutorial -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information