RE: Securing Axis Web Services

Tue, 04 Apr 2006 01:29:03 -0700

Hi all,

I'm not such an experienced person, but have to make a little work on it nowadays. So, let me share what I have. Hopefully, some of them will help. If there will be incorrect info, any help on correction would be appreciated ;-)

1) SSL provides low-level security and you don't need to encrypt or sign your SOAP messages explicitly. It is sufficient if you have peer-to-peer communication between service provider and the consumer. If there will be another node in between, then, you should consider message based security provided by  WS-Security specification.

3) The WS-Security section, as defined by the WS-Security specification, is positioned within the SOAP Header

4) WSS4J is WS-Security specification's implementation for Java.

5) Axis and Axis2 use WSS4J

6) If you sign and/or encrypt the SOAP, you need to use certificate. Although it is not secure, you can use timestamp and/or username token profile without signing and encrypting. I saw an WS application that has SSL connection and uses username/token profile together with timestamp.

7) In my case I only use signing. Therefore, before sending messages, I sign them with my certificate which includes my private key. Consumer has my public key certificate in its keystore. So, it can verify the incoming message with my public key certificate.

8) If I also needed to encrypt messages, process flow would be as following:
- Sender
   - Sign the message with sender's private key certificate
   - Encrypt the message with receiver's public key certificate
- Receiver
   - Decrypt the incoming message with receiver's private key certificate
   - Verify the signature with sender's public key certificate

Regards,

Ali Sadik Kumlali

[EMAIL PROTECTED] wrote:
Hi Anna,
 
I think wss4j provides message level security. (i.e. the security related aspects are there in the SOAP headers and so it is not using ssl). How is it different from making a SSL connection explicitly from the client to the server and then using the certificates, encryption etc?
 
If you get some time, then can you write a detailed mail on that.
What is “double ssl” that you mentioned.
 
Regards,
Subir S
Hyderabad-500081, AP
tel: 040-30795137
 
 
Want a signature like this? 
 
From: Anna Krajewska [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 04, 2006 11:39 AM
To: [email protected]
Subject: Re: Securing Axis Web Services
 
Hi
 
I use WSS4j. I create password secured WS and signed with certificate response. All communication is done with double ssl.
What you should use depends on what kind of data you send. If only the response of WS contains privileged data you don't have to put much security to the request - password is the best.
 
Regards
 
Ania
----- Original Message -----
Sent: Tuesday, April 04, 2006 1:12 AM
Subject: Securing Axis Web Services
 
I am kinda used to build WS with Axis, but I've never done any secure WS before.

By secure I mean: only authorized access.

I read Axis' documentation and they say I can use the sister project XML Signature.

For you, experient guy, what is the best way (simple but functional) to allow only authorized access to my WS?

Using certificates? HTTPS? User/Password in the SOAP header?

Thanks
Daniel

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2ยข/min or less.

Reply via email to