Securing Web Services

Using web services gives you flexibility of using interoperability between different applications no matter which language they are developed into or what platforms they use. That's why today more and more applications are based on web services.If you are developing a travel portal which helps users plan their trip, your portal should have an enquiry facility so that users can search for accommodation in different hotels,airlines,trains of their choice on a given date and finally plans for the trip.Now with traditional web application you can provide link to each and every hotels,airlines vendors and railways booking system.Which is a cumbersome process and sometimes interoperability is an issue. Again from business point of view you are not benefited because customer will be directed to the respective vendor's portal to do the transaction.Here web services come into rescue. With development of Web2.0, web applications have become more powerful and web services is one of them.You can develop your travel portal in any way you want and use the web services developed by different vendor's to use their functionality from your travel portal only without redirecting customers to their websites. The customer will do transaction on your website and you pay for using the web services to respective vendors.The most important feature is centralization. The customer will not have to roam to every website for every specific enquiry like for hotel booking he need not go to particular hotel website or particular airline website; he simply do all the bookings using your portal just using particular web services of vendor.
Web services also suffers from the same problems as traditional enterprise web applications face. Authentication, Authorization, Confidentiality ,Integrity are few of the them.Assume there are different web services deployed on your local ESB which orchestrate between all the web services. Any body can connect to your ESB and use the web services. There's no restriction in the place.Following figure displays non secured web services.

To avoid the this situation you want that only specific clients can use your web services not every body. And also you want that all the communications between different web services must be encrypted with the keys of respective client,providing confidentiality and integrity.

Implementing Authentication, Authorization and Identity:
Every client request message header contains the following attributes:AuthType and AuthKey --which are not used in normal client request—are used here for creating authentication and authorization.

Create a WSDL which uses those above attributes to provide authentication.
In the WSDL file there are two attributes:
When a client request doesn’t have X509 certificate, the “NoX509CertificateFault” is returned by the service.When a client request presents any X509 certificate, which doesn’t match one already issued, then “InvalidX509CertifiacteFault” is returned by the service.
Create a corresponding web service to the WSDL document.

Implementing Confidentiality and Integrity:
Next step is to encrypt and sign the communication between different services inside the normal business process on ESB to meet Confidentiality and Integrity conditions.We need to endorse each and every web services which are participating in business flow to use the X509 certificate for encryption and signing.
A dialog box opens containing ‘Quality Of Service’ for the corresponding web service. Check ‘Secure Service’ check box. Select ‘Endorsing certificates’ from the list ‘Security Mechanism’. Check ‘Use Development Defaults’.In the ‘Input Message’, select ‘X509’ from the list of ‘Authentication Token’.Check the ‘Signed’ and ‘Endorsing’ options below.

In the same dialog box click on ‘Keystore’ button and provide path for the stored keys on the server to be used. Use the same process for ‘Truststore’ .

The above process just provides an outlook to how to secure web services. It involves more minor steps. That should also be followed.


Popular posts from this blog

SQL Injection in search field

File Upload through Null Byte Injection