Friday, September 24, 2010

Secure Web Services - WS-Security

Security is one of the important key in the success of a IT project but most of the time only user authentication or data encryption are taken into account. So security of the application is often not adressed or leave aside due to complexity of the implementation.
One of the reason explaining this situation comes from the fact that solutions or frameworks proposed to secure an application are difficult to configure and maintain. And this remark prevalls over the specification WS-Security.

In large company having deployed WS-Services to allow intra or inter connection between applications, Web application authentication with HTTPS protocol mechanisms are use to secure platforms. That means that users discovering the credentials used to connect to the web server can potentially have access to the services of the company.

WS-Security offers a way to authenticate the user connected to a web service or allow also a user to be trusted on the web server it is connected. This mechanism is interesting because it reinforce the security but provides also a way to restrict access to unauthorized users to web services.

Apache Camel and CXF frameworks offers a simplify way to implement this with only few lines of code and spring beans definition. Let's see that in action :

STEP 1

We only need to use JAAS api to authenticate the user using the following java package "javax.security.auth.callback" and the project WS4J of Apache. Here is a simple example authenticate a user using a list and the password provided.


package org.apache.camel.example.reportincident;

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.ws.security.WSPasswordCallback;

/**
* Callback handler to handle passwords
*/
public class UTPasswordCallback implements CallbackHandler {

private Map passwords = new HashMap();

public UTPasswordCallback() {
passwords.put("claus", "sualc");
passwords.put("charles", "selrahc");
passwords.put("james", "semaj");
passwords.put("abcd", "dcba");
}

/**
* Here, we attempt to get the password from the private alias/passwords map.
*/
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

String user = "";

for (int i = 0; i < pc =" (WSPasswordCallback)" user =" pc.getIdentifier();" pass =" passwords.get(user);" string="">


STEP 2 This is here that the magic will operates as we will use Spring beans definition with Apache Web Services Framework - CXF and Apache Camel to expose the web service

Instantiate your WS4J bean














Add it as an interceptor to CXF to allow CXF to authenticate the user using the credentials provided in the SOAP header definition.



















Here is an example of the SOAP header






2010-09-24T07:31:06.308Z
2010-09-24T07:36:06.308Z


charles
KoNvkEh9jwgvxTfcTza6+kHkKNI=
havIKNKvlRuatlp3CncMKw==
2010-09-24T07:31:06.306Z





222
2010-07-14
Charles
Moulliard
Bla
Bla bla

cmoulliard@apache.org
0011 22 33 44





And finally, declare your camel route using the web services


















To play with the example, follow this example of Camel CXF and enjoy it !

No comments: