One desktop application needs to get some services from server.
For example sending some parameters and receiving some result.
Imagine implementing a solution by Java Servlets, in a way that the app sends the parameters to the servlet (POST) and receives the result in XML.
Does this approach have any security issue in compare with web-services (Soap / Restful) ?
Thanks and sorry if the question is a bit general.
I don't think so. But personally I would still go over REST, mainly because it would be easier to maintain and update if needed. Also probably easier to test and implement.
As long as your solution has suitable authentication (username/password) and takes place over SSL, it's no less secure than Web Services/SOAP. And indeed you might find it a simpler solution to implement.
The security issue is the same for both solutions because it's http but I won't do the post thing because it's not structured properly, meaning it's client dependent and not using a standard. If you don't like XML, you can try JSON.
Related
So, I'm developing a REST webservice using RESTeasy and Google App Engine. My question isn't related to GAE, but I mentioned it just in case it matters. It happens that naturally I need to secure my resources and my own users (not Google's).
Securing a REST webservice seems like a very controversial subject, or at least a very 'liberal' one. REST doesn't impose any standard on this matter. From what I've researched on the web and literature, there are at least 3 approaches that I think might fit in my application:
HTTP Basic (with SSL)
HTTP Digest (with SSL)
OAuth
OAuth seems like the most complete approach. But I don't think that such a complexity is needed because I will not need to authorize any 3rd party applications. It is a webservice to be consumed by my own client applications only.
HTTP Basic and HTTP Digest appear as the most simple ones on the web, but the fact is that I've never found a concrete implementation of them using RESTeasy, for example.
I've found this page and this one in RESTeasy's documentation. They are indeed very interesting, but they tell little or nothing on this subject (HTTP Basic or Digest).
So, here I am asking:
How do I secure my WebService using HTTP Basic or Digest in RESTeasy?
Perhaps it is so simple that it isn't worth mentioning in the documentation or anywhere else?
Also, if anyone can provide me some insight on the matter of securing RESTful webservices, it could be helpful.
Am I choosing the right approaches?
The simplest way to secure a REST API is to use HTTP Basic authentication over SSL. Since the headers are encrypted there is not much point of using Digest. This should work great as long as you can keep the password secure on the client(s).
I've managed to accomplish this by using RESTeasy's Interceptors.
Basically the requests are intercepted by using a listener like class. In this class I inspect for the request's HTTP headers and then the normal Basic-Auth process goes on.
Useful links:
http://en.wikipedia.org/wiki/Basic_access_authentication
Passing parameters in the message header with a REST API
http://www.alemoi.com/dev/httpaccess/ (the Servlet part)
I hope this helps anyone.
Thanks.
you will definitely face a security risk when using any authentication method without SSL.
but if you did use SSL, you will usually suffer from a poor performance.
Oauth is actually a solution to allow 3rd party to obtain access to your webservices.
due to the limited selection, my solution to a current webservices that require authentication used the combination of SSL+basic
You might look at using OAuth 2. It is significantly simpler then OAuth 1 and is actively being used on large REST API by Facebook and Google.
What is the best way of save data using Restful web service without using Ajax? As a example I need to add a new Customer to the database using submit button.
What is the best way of transfer data format (text,json,xml) ?
How to read POST or GET data from HttpRequest object?
If you can please give me a example in java .
Thank you
I think you need to separate the concepts a bit. A "Restful Web Service" is a web service designed using REST principals, whereas AJAX is a set of technologies used often on the client side for asynchronous requests to multiple resources (without fully reloading the page). The web service really shouldn't care how the HTTP request is generated, just the contents of the HTTP request.
Now if you're concerned about writing a rest service in Java, I would highly recommend looking into JAX-RS and the reference implementation Jersey. There are lots of examples of how to get up and running. You can use MessageBodyReader implementations are to convert data from the HTTP request entity into Java objects.
Obviously this is not the only way to get started with writing a Restful web service in Java, but is one way.
It's very definitely worth your time to carefully study Richardson and Ruby's RESTful Web Services to learn the REST architectural style. In addition to #ach_l's recommendation to use Jersey, take a look at the Restlet Java framework, which is completely wonderful.
I would like to use AWS and especially Amazon Simple Email Service (SES) in order to setup a webservice allowing to send emails.
Emails would be triggered by some kind of POST request to the webservice with some authentication, and the webservice would then just send the email on behalf of the web service user.
Where should I start? The webservice part looks dead simple but I'm not familiar at all with web services. I still need to run some kind of multithreaded webserver since there could be a bunch of concurrent requests.
Is there a way for me to write a very simple web server in Ruby or Java to do that? Any pointer appreciated.
After some digging, the simplest solution is to use something like node.js or sinatra. The nice thing is that these are almost self-contained and require barely any configuration. They provide a very easy way to reply to HTTP requests.
Once you get one of these, you start the script with a port.
The small webservice will now listen on that port. You only need to take action based on the requests passed as parameter.
And yeah, now it sounds so obvious...
their documentation is good way to start. its quite easy to start, may encounter difficulties based on your problem domains.
you also need to implement something on top of this service.
http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/index.html
http://docs.amazonwebservices.com/ses/latest/APIReference/
http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/
Good Luck!
I would start with looking at AWS sdk Java.
They seem to support SES.
http://docs.amazonwebservices.com/AWSJavaSDK/latest/javadoc/index.html
Good Luck!
I just want to implement a service in java that will:
take some arguments, then search the database
return the JSON object of the fetched data
I need help to identify the ways through which I can implement this thing.
e.g. Suppose I am getting the name of the book as argument I want to render.
On service part, I have to fetch book data and convert it to JSON and write/return to response.
I was looking at the Apache Axis2 but I am not sure that I am going in the right direction.
So, pls help.
Need guidelines not implementation.
Thanks
I would suggest using JAX-RS based services which would be ideal for your scenario as you want json data. These are pretty easy to get started with. Jersey is a widely used frameworks. Also see RESTEasy.
If you are returning the data in JSON then you probably don't need to implement a full web service, which uses XML for both the request and the response.
A normal dynamic web application (written as a Java Servlet) will be able to read request parameters in the HTTP payload and return a JSON-encoded HTTP response.
However you need to consider your clients; if they are only able to access web services then you need to forget about a JSON response and simply objectify the response. However if the clients can access web resources without issue then go with the servlet approach.
If you need to go with web services then look at the Metro 2 framework.
One way to do this is to keep it standards-based.
If you are using the JEE5/6 framework, your best bet would be to go with JAX-WS - comes built-in with the JSE too (if I remember correctly)
You really just have to annotate a POJO with #WebService to achieve this.
Regarding creating a JSON response, a good bet is to stick with the implementation from http://code.google.com/p/google-gson/ ; simple and straightforward
Axis2 can handle/support the webservice related part, iaw, transforming java objects into JSON and vice-versa and providing an easy-to-use API for the communication part.
Hibernate or JPA could be useful for database related tasks, although it might be easier to just use JDBC to send some simple SQL commands to the database (especially if the database already existst).
I am currently using various back-end services and I want to use PHP to simply query these services and perform the final page construction. These services could be coded in any number of programming langauges such as Erlang, Java, Python etc. However I am unsure of the best way to actually interface the back-end services with the web app. Requests to these services would be both synchronous and asynchronous. Would I use something like SOAP or JSON-RPC??
Any help greatly appreciated.
You might want to have a look to Thrift:
http://incubator.apache.org/thrift/
I think you are on the right track
using JSON-RPC. I don't like SOAP at
all because it is just way too
complicated in my opinion
I would create an interface(document it properly like for example twitter) which I can easily test using cURL from the command line.
I think Twitter has a pretty good(not perfect) API.
Also ProgrammableWeb.com is a good place to look up API's(see how other people create API's).
This is a general question how to design web services and there is a hype using REST-like web services. This way you simply can call a given URL (which is even user readable). This increase the interoperability of your web service so you can mix the programming languages which use the REST interface. IMHO its easier than using a SOAP like web service as you simply calls GET on an url like http://www.example.com/user/5/ (think of it as the mod_rewrite of web services)
I'd use NuSOAP (to consume java webservices).