X

Geertjan's Blog

  • July 21, 2005

Super Secure Web Services in NetBeans IDE

Geertjan Wielenga
Product Manager
In Web Service Security: Three Steps, I went through some simple steps for setting up basic security for web services. An even better way of doing it is to use HTTP Security (HTTPS), which secures data by encrypting it between the server and browser. Below are the elements you added to a web service's web.xml file in Web Service Security: Three Steps -- with one additional element (emboldened), which specifies that the web service should force the client to authenticate itself via HTTPS:
<security-constraint>
<web-resource-collection>
<web-resource-name>Web Service Security Resource</web-resource-name>
<url-pattern>/Hello</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>doing-important-things</role-name>
</auth-constraint><user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<description>Big Bosses</description>
<role-name>doing-important-things</role-name>
</security-role>

Note that the <user-data-constraint> element must come after the <auth-constraint> element.

In addition, you need to enable HTTPS on the server that deploys the web service. On the Sun Java System Application Server, you do this by adding the emboldened element below to the <security-role-mapping> that you defined in Web Service Security: Three Steps:

<security-role-mapping>
<role-name>doing-important-things</role-name>
<principal-name>very-high-up-guy</principal-name><transport-guarantee>CONFIDENTIAL</transport-guarantee>
</security-role-mapping>

For the Tomcat Web Server, you need to edit the server.xml file as described here (and also in Tomcat's own SSL Configuration HOW-TO). I don't know how it works for other servers, such as JBoss, but in each case you need to do something to enable the server to work with HTTPS.

Then, when a client attempts to connect to the web service (and also the first time you deploy the web service), you get this slightly forbidding looking certificate:

Using the JDK's Keytool application, you can create and manage your own certificates. So far, I'm just using the standard certificate provided by the Sun Java System Application Server. I'll be looking at creating my own soon.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.