By
nature web services are loosely coupled connections and its use of open access
on mainly HTTP creates a major concern for security.
Web
services security includes following aspects
Authentication—a user's identity is verified
based on the credentials presented by that user, such as uid/pwd or
authentication token.
Authorization (or Access Control)—Granting
access to specific resources based on an authenticated user's entitlements.
Confidentiality, privacy—keeping information
secret. Accesses a message, for example a Web service request or an email, as
well as the identity of the sending and receiving parties in a confidential
manner. Confidentiality and privacy can be achieved by encrypting the content
of a message and obfuscating the sending and receiving parties' identities.
Integrity,
non-repudiation—making
sure that a message remains unaltered during transit by having the sender
digitally sign the message. A digital signature is used to validate the
signature and provides non-repudiation. The timestamp in the signature prevents
anyone from replaying this message after the expiration.
For
detail refer below link
Securing
Restful Web Services
Using
web.xml
1) Define a
<security-constraint> for each set of RESTful resources (URIs) that you
plan to protect.
2) Use the <login-config>
element to define the type of authentication you want to use and the security
realm to which the security constraints will be applied.
3) Define one or more security roles
using the <security-role> tag and map them to the security constraints
defined in step 1. For more information, see "security-role" in
Programming Security for Oracle WebLogic Server.
4) To enable encryption, add the
<user-data-constraint> element and set the <transport-guarantee>
subelement to CONFIDENTIAL. For more information, see
"user-data-constraint" in Programming Security for Oracle WebLogic
Server.
Example
–
<web-app>
<servlet>
<servlet-name>RestServlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RestServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Orders</web-resource-name>
<url-pattern>/orders</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
</web-app>
Using
SecurityContext
1) java.security.Principal object
containing the name of the user making the request.
2) Authentication type used to
secure the resource, such as BASIC_AUTH, FORM_AUTH, and CLIENT_CERT_AUTH.
3) Whether the authenticated user is
included in a particular role.
4) Whether the request was made
using a secure channel, such as HTTPS.
Example –
@Path("/stateless")
@Stateless(name
= "JaxRSStatelessEJB")
public
class StlsEJBApp {
...
@GET
@Produces("text/plain;charset=UTF-8")
@Path("/hello")
public String sayHello(@Context SecurityContext sc) {
if (sc.isUserInRole("admin")) return "Hello World!";
throw new SecurityException("User is unauthorized.");
}
Using
Annotations
|
DeclareRoles(Annotation)
|
Declares
roles.
|
|
DenyAll
|
Specifies
that no security roles are allowed to invoke the specified methods.
|
|
PermitAll
|
Specifies
that all security roles are allowed to invoke the specified methods.
|
|
RolesAllowed
|
Specifies
the list of security roles that are allowed to invoke the methods in the
application.
|
|
RunAs
|
Defines
the identity of the application during execution in a J2EE container.
|
Example-
@Path("/helloworld")
@RolesAllowed({"ADMIN",
"ORG1"})
public
class helloWorld {
@GET
@Path("sayHello")
@Produces("text/plain")
@RolesAllows("ADMIN")
public String sayHello() {
return "Hello World!";
}
}
very usefull in full details thanks
ReplyDelete