Geek Answers Handbook

Is Webservice Security Enough?

I am looking to open a web service that several clients can call to receive transactional data. Each calling client will retrieve a different subset of the data.

We host Webservice on Websphere 7 - the external web service is essentially a proxy server for the real WS running on our ESB platform.

Currently, I have the following security:

1) WS-Security username / password sent in the header (plantext). This authenticates against our user repository (the repository is used elsewhere and passed a security check).

2) HTTPS

3) Restrict IP address calls through the firewall

4) PGP payload data is encrypted using clients' public key

How safe is it? I'm sure the payload data is safe, but I'm not entirely sure that the access mechanism is 100% safe? We use the built-in IBM Websphere for # 1.

+4
source share
3 answers

Well, since you use HTTPS , you don’t have to worry about sending passwords in text form. Therefore, as long as your authentication works correctly (you say that the repo has been checked for security), it is pretty safe.

In addition, you have an encrypted payload with PGP that is truly secure - at least as long as all parties process their keys with the necessary care.

-> What you describe sounds pretty solid to me, especially with PGP asynchronous encryption, which is mostly not attacked (unless you are considering social engineering).

Maybe the last thought (but I think you do not need this advice):
I don’t know about Websphere, but other application servers or ESBs (like JBoss) have some default administrative tools that are usually freely available over the Internet (just google for / jmx-console ...). Be sure to provide security with a password or disable them if necessary.

+4
source

This is more than enough for me. The only additional thing I can think of is the use of temporary passwords. See RSA for details.

+1
source

Is the subset of data returned by the service associated with the authenticated client identifier, or is it the returned dataset defined by the parameter that is passed to?

+1
source

More articles:


All Articles