Does anyone have a recommendation about web service security architecture in Java (preferably under JBoss)? Any recommended reading?
I want to expose a fairly rich web service to the world but the data are sensitive and it requires authentication from the current client (Flex), accessed via RPC. I definitely do not want any server-side session state.
What's the best way to go about implementing security through web services in Java/JBoss and where can I read about it?
You could try:
For web services security in JBoss, I would start by reading 8.4 WS-Security of the JBossWS User Guide.
WSSE is simple and works well.
http://www.xml.com/pub/a/2003/12/17/dive.html
http://www.sixapart.com/developers/atom/protocol/atom_authentication.html
Related
How can I secure the communication between the business logic (java) running on Tomcat, and the UI written in AngularJS. The communication obviously will be over REST services. Can anyone advise on this, or provide links to some tutorials, examples?
There shouldn't be concern about securing you REST API in the server side. Because it's just a kind web resources like static CSS or Servlet. If you're using Spring in your application, I recommend you to consider Spring security. Here is a good example.
And you should not worry about accessing secured resources from your Ajax request. Probably, they will reuse the same session information (that is stored in the SESSIONID cookie).
You can find more information about securing your REST resources from here.
We have a application which works with MySql database.
Now we are implementing mobile version of our application and I'm looking for java solution for easy generating rest services from already ready sql queries.
Details on security and performance:
Security is required (LDAP).
Performance - working time of rest request should be approximately equals working time of sql request.
What solutions can be used for it?
I think the best solution is REST4Enterprise
also can take a look on and restSQL
I suggest using spring roo very easy to use
I recommend using netbeans to generate rest webservices from database tables.
Netbeans also offers the ability to generate REST webservices from entity beans (JPA entities).
Have a look at this link.
If you are looking for just CRUD REST services - one of the above tools suggested by others can help.
But for something more check - Dropwizard
my 2c
For Mobile applications, REST is the best recommended architecture. But you have to ensure the session handling at the client side (recommended).
Eclipse -> Webservice -->Create a Sample Rest Webservice will be a good starting point
You can use spring-rest or grails to develop rest services.
Consider doing web services in PHP. No need for anything other than Tomcat, and offers LDAP verification. It is very quick time to market, and PHP works with MySql pretty seamlessly.
You can give a look at Developing REST Web Services Tutorial.. not sure if it's the best solution but could be one... I used it twice and found it usefull and really easy.
In the Java™ world, you can build a RESTful web service in several ways: Some folks use JSR 311(JAX-RS) and its reference implementation Jersey, others use the Restlet framework, and some might even implement from scratch. Spring framework for building Java EE applications, also supports REST in its MVC layer.
http://www.ibm.com/developerworks/webservices/library/wa-spring3webserv/index.html
Below article also covers RESTful web services api using java and mysql
http://www.9lessons.info/2012/09/restful-web-services-api-using-java-and.html
As per the title, I am wondering what are some best practices for Web service user authentication and session management, mainly for backend implementation, especially using Java (J2EE).
Has anyone published anything on the subject? What kind of security considerations should one keep in mind when working with user authentication? What kind of design patterns are related? How should sessions be managed? What does a well-designed architecture look like?
Are there existing systems that could be used as good examples, or even bad examples?
As the Java EE specifications for web services actually consist in exposing a stateless session bean as a web service, you won't be able to implement session management without a "home-made" solution such as including a user token in each of your request.
Not specifically REST but we use same authentication mechanism for standard webservices as for any other web container request. Means send basic authentication data to backend. Over SSL. Never had any issues.
I have a web application in JAVA (Spring MVC framework) and I want to connect to a website and use its web services which wrote in php, is it possible ? if yes how can I do that?
It doesn't matter what language one used to create a webservice. You can talk to any webservice by agreeing on how it exchanges messages.
Yes, Spring integrates well with Apache Axis: http://axis.apache.org/axis2/java/core/docs/spring.html
To consume web services with Spring you can use JaxWsPortProxyFactoryBean to create a client proxy: http://musingsofaprogrammingaddict.blogspot.com/2009/03/writing-and-testing-jax-ws-clients.html
From Spring in Action, here's how you'd configure an example web service proxy bean:
<bean id="spitterService" class="org.springframework.remoting.jaxws.JaxWsPortProxyFactoryBean"
p:wsdlDocumentUrl="http://localhost:8080/services/SpitterService?wsdl"
p:serviceName="spitterService" p:portName="spitterServiceHttpPort"
p:serviceInterface="com.habuma.spitter.service.SpitterService"
p:namespaceUri="http://spitter.com"/>
The beautiful thing about web services, and web services are beautiful things, their hosts are made with wsdl's, their client is made in Spring! (Totally stole that from the mouse (just a warning, as per the comments, this rhyme is not to be used as an authoritative anything. It is an attempt at humor by someone who was excessively tired at 3 AM because of Win 7 issues))
Web services are language agnostic -- the only thing which matters is that they are up and running (and serving valid outputs), not that they are using technology X, Y, or Z. Theoretically, you could even have a webservice running on something written in Piet or Brainf*ck.
A tutorial on how to create a client can be found here.
Use CWSDLGeneratorDocument.php for generate WSDL file in DOCUMENT/LITERAl style and use standart library JAX-WS in java 1.7.
I am new to web serivce. I have written a few clients using AXIS2 but nothing more. Now I have to create some service that will be consumed by others. We have a web application written using wicket.
Does my webservice need to be a part of the web application. Can it be a deployed seperately, but still use the same code that is used by the web application.
any tips of how to start including security, authentication etc. Any reference to reading material, tutorial is greatly appreciated.
Taking the questions one at a time:
Does the webservice need to be part of the web application? No. It can be a completely separate project with it's own deployment.
Can it be deployed separately? Yes, see #1.
Can it use the same code as the web app? Yes. This is a matter of how you reference the web app. You might consider branching the code, or just building it in to the web app to begin with.
A couple of resources:
RESTful webservices with Wicket
Web service API for Wicket
Bear in mind, I've never used wicket before so I have no idea if the above links are worthwhile.
Regarding security. You usually provide a web api "key" of some sort to your clients. That key is then passed in to every api call which you then validate for both authentication and authorization. This is how most systems work.
Also, just like with web apps, the calls to the API should go over an SSL connection in order to try and prevent anyone from eavesdropping on the conversation.
As far as logging, this is no different than logging you would set up for a normal web app. There are plenty of logging tools out there like log4j.
Short answer: Generically, yes, you can deploy your web service as part of your web application. You should think of your web service as another "view" on your business logic. If you have followed good patterns (e.g. putting your business logic in a library, not controllers) this shouldn't be too hard.
You may want to "enforce" this by putting shared business logic in one library, and then split the web service and web application into another project.
There are really too many options for web services to list them all, but here's a place to look as a tutorial:
http://static.springsource.org/spring-ws/sites/1.5/reference/html/tutorial.html
Follow the below link that explains how to expose your ASP.Net web application functionality as a web service. The below article takes TrendsInInvestment web application to explain the procedure.Features like authentication,caching and pagination has been included while implementing web service.
1)Link for article.
http://securityresearch.in/index.php/tutorials/how-to-expose-your-asp-net-web-application-functionality-as-awebservice
2)Link for the modified web application,web service and its sample code .
http://securityresearch.in/index.php/projects/f_security/trends-in-investment-web-service-1-0-is-now-available