Super Secure Web Services in NetBeans IDE

In Web Service Security: Three Steps, I went through some simple steps for setting up basic security for web services. An even better way of doing it is to use HTTP Security (HTTPS), which secures data by encrypting it between the server and browser. Below are the elements you added to a web service's web.xml file in Web Service Security: Three Steps -- with one additional element (emboldened), which specifies that the web service should force the client to authenticate itself via HTTPS:
<security-constraint>

  <web-resource-collection>
    <web-resource-name>Web Service Security Resource</web-resource-name>
    <url-pattern>/Hello</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>

  <auth-constraint>
     <role-name>doing-important-things</role-name>
  </auth-constraint>

  <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>

</security-constraint>
 
<login-config>
  <auth-method>BASIC</auth-method>
</login-config>

<security-role>
  <description>Big Bosses</description>
  <role-name>doing-important-things</role-name>
</security-role>

Note that the <user-data-constraint> element must come after the <auth-constraint> element.

In addition, you need to enable HTTPS on the server that deploys the web service. On the Sun Java System Application Server, you do this by adding the emboldened element below to the <security-role-mapping> that you defined in Web Service Security: Three Steps:

<security-role-mapping>
  <role-name>doing-important-things</role-name>
  <principal-name>very-high-up-guy</principal-name>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</security-role-mapping>

For the Tomcat Web Server, you need to edit the server.xml file as described here (and also in Tomcat's own SSL Configuration HOW-TO). I don't know how it works for other servers, such as JBoss, but in each case you need to do something to enable the server to work with HTTPS.

Then, when a client attempts to connect to the web service (and also the first time you deploy the web service), you get this slightly forbidding looking certificate:

Using the JDK's Keytool application, you can create and manage your own certificates. So far, I'm just using the standard certificate provided by the Sun Java System Application Server. I'll be looking at creating my own soon.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Geertjan Wielenga (@geertjanw) is a Principal Product Manager in the Oracle Developer Tools group living & working in Amsterdam. He is a Java technology enthusiast, evangelist, trainer, speaker, and writer. He blogs here daily.

The focus of this blog is mostly on NetBeans (a development tool primarily for Java programmers), with an occasional reference to NetBeans, and sometimes diverging to topics relating to NetBeans. And then there are days when NetBeans is mentioned, just for a change.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
12
13
14
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today