Areas to be addressed as part of Security(WS Security)
- Authentication
- Username token profile, X 509 Certificates, SAML(Singlesign On)
- Confidentiality
- Encryption/Decryption
- Integrity
- Signatures(hash value of message)
- non-repudiation
- TimeStamp(prevent replay attacks)
Stateless Authentication Mechanisms
- Basic Auth
- Client sends Username/Password for every request as state is not maintained in Server
- User/passwd details are sent as part of Request Header
- Concatenate Username & password with : as delimiter
- Base 64 encoding on the concatenated String
- Encoded string is passed as value to Header key 'Authorization' with a prefix as 'Basic '
- This is not Secure as the encoded string can be decoded.
- So, always send it over https request to protect it
- We make Bae 64 encoding to handle non-http compatible chars in username/passwd
- Advantages
- Simple, Stateless Server, Supported by all browsers,
- Disadvantages
- requires https to protect
- it is subjected to replay attacks
- Logout is tricky(Browser caching)
- Digest access Authentication
- This mechanism does Encription(https://en.wikipedia/org/wiki/Digest_access_authentication)
- Asymmetric cryptography
- https://en.wikipedia/org/wiki/Public-key_cryptography
- Both client and server Uses public and private keys
- OAuth
- https://en.wikipedia/org/wiki/OAuth
- JSon Web Tokens
- https://en.wikipedia/org/wiki/JSON_Web_Token
- Interceptors are designed to manipulate Entities(input and output streams).
- Filters manipulate Headers/uris/matadata information
- Interceptors manipulate actual body of request/response
- Filters are used for cross cutting concerns like Logging, security
- Interceptors are used to Encode an entity response
- Filters & Interceptors work on Client too.
SOAP
Encryption/Decryption Concepts- UsernameToken
- Most used ways while using SOAP based webservices
- It defines standard to pass Username & Password inside SOAP header
- Steps to configure
- Create interceptors in cxf-servlet.xml
- create password callback handler
- Symmetric or Private
- Sender encrptps the data with private key
- Receiver decrpts with his private key
- This is expensive as vendor has to maintain pair of keys for every application/user
- Public key crptography
- Data will be encrypted with public key
- Decription will be done with private key
- Private key cannot be derived even if hacker knows Public key
- RSA is public key encrpytion algorithm
- Key and Certificate management utility
- When Public & private key are generated KEYSTORE file will be created. This is the place where Private and Public keys are stored. This file is password protected.
- For each Private key, we give a alias/username & also a password
- Public key can be exported into Certificate which can be distributed across our client applications.
- keytool - genkeypair -alias mykey -keypass mykeypass -keystore -mykeystore.jks -storepass mystorepass -validity 100 -dname "cn=Venkat Desu, ou=ws, o=VenkatInc,c=IN"
- Export public key out of keystore(to distribute to client)
- keytool -export -rfc -keystore mykeystore.jks -storepass mystorepass -alias mykey -file MyCert.cer
- Import certificates into alternate keystores
- keytool -import -trustcacerts -keystore servicekey store.jks -storepass mystorepass -alias mykey -file MyCert.cer -noprompt
- To ensure integrity of data and is not tampered on the way
- It is fixed length value that is calculated using content of the message by applying algorithm on it. This value is also known as hash. The hash is calculated using a private key
- Hash is sent to server side along with the message
- On the serverside, the hash is recalculated using Public key of corresponding private key.
- Content is termed as not tampered when both the hashes are same.
- TimeStamp
- This has both Creation & Expiry times.
- Server rejects the message when expiry time is past the current time
- Restful applications are slightly different from webapplications. Webapplns are directly used by end user and end user authenticates. Where as Restful applications, it is the application that authenticates with Restful application.
No comments:
Post a Comment