3

So I am new to spring-ws and to SOAP in general and am concerned about the security of information being sent to my SOAP service.

I want to use some sort of http authorization and it seems like this is not done via the spring-ws API.

  • Does anyone know a good resource for information on doing this,
  • Have any advice to offer?

I admit that I lack a lot of knowledge when it comes to security policy, so anything helps.

By the way I am using glassfish 3 as my application server.

EDIT: I am not trying to put the security features in the soap message. I am sending customer information so the http message has to be encrypted. Authentication to ensure that the request is coming from the right people (so random users cannot use my soap service) would be huge plus.

thatidiotguy
  • 8,701
  • 13
  • 60
  • 105
  • What do you mean exactly by 'security' - do you just want to protect information being sent over the wire or you need authentication/authorization or both? – maximdim Feb 08 '12 at 18:44
  • I would like to encrypt information over the wire AND authenticate users. – thatidiotguy Feb 09 '12 at 14:26
  • 3
    Well, in my opinion, the simplest way then would be just to configure your web container to use SSL with client authentication. It might or might not be applicable to your case (e.g. in case it's public service you're providing you might not want to distribute client certificates etc) but this way your transport would be encrypted and authenticated and your web service wouldn't need to deal with any of these details. – maximdim Feb 09 '12 at 15:23
  • Could you elaborate on how exactly one goes about doing this, I am a novice when it comes to security as I have only one year of professional development experience, and am really at square one with this stuff. What you are talking about is however exactly what I want to do, I want to leave the security out of the soap message. – thatidiotguy Feb 09 '12 at 15:24
  • 1
    Configuring HTTP security is container-specific. What's your target deployment environment? – maximdim Feb 09 '12 at 15:32
  • When you say container what exactly do you mean? It will be on the glassfish application server on a linux box with apache. – thatidiotguy Feb 09 '12 at 15:34

3 Answers3

3

If you want to use SSL client authentication it would be container-specific configuration. If your target deployment is, for example, Glassfish you could start with reading this.

Keep in mind, that with SSL client authentication you would need to deal with either issuing client's certificates (through your own CA) or accepting existing client's certificates. This could be acceptable if your in more or less controlled environment (B2B for example) but real hassle if you trying to build public web service. Do some reading about SSL client authentication, certificates etc - there are plenty info in the Internet.

maximdim
  • 8,041
  • 3
  • 33
  • 48
2

There is a whole chapter describing the security aspects of spring-ws here. Have you look at it?

Edit: Some more information on SO

Community
  • 1
  • 1
Peter Svensson
  • 6,105
  • 1
  • 31
  • 31
  • Yes I have, the issue is that I want to do all the security through http, not in the actual soap messages. As you can see from that page it even says "Note that plain text passwords are not very secure. Therefore, you should always add additional security measures to your transport layer if you are using them (using HTTPS instead of plain HTTP, for instance). " but it never explains how to do that. What I am asking is how do you do that? Is it something done by the application server, set up in my application context, hard coded in etc. – thatidiotguy Feb 09 '12 at 15:23
1

I like how this post describe the different between HTTPS and WSS. It can be helpfull for you.

jddsantaella
  • 3,657
  • 1
  • 23
  • 39