What is the best way to secure a SOAP web service on an internal private network

Question

What is the best way to secure a SOAP web service on an internal private network

Today, for application sharing, more and more web services are designed for internal use. We do not have an ESB to control and protect these web services, so I guess this is a good way to protect them.

We are trying to establish two-way SSL, but we cannot control the authorization on a specific web service.

My need is to be able to control which application calls my web service, and this application is allowed to be called.

I don't like WS-Trust and Ws-Security because it modifies the original SOAP message, but it seems like they are not another solution.

Any idea?

thanks

+4

java web-services jax-ws ws-security

Olivier martin Sep 19 '11 at 8:30

source share

3 answers

Prabath siriwardena · Answer 1 · 2011-09-19T11:48:53+0000

Your question mentions that you do not want to modify the current SOAP message, which means there is no message-level security.

So, you need to go to the security level at the transport level.

Even with two-way SSL, you can authorize users based on the fingerprint of the user certificate - how to do this depends on the stack you use.

Another variant:

Basic HTTPS Authentication
2-legged OAuth

The difference is that 2-legged oauth supports rejection, while basic auth does not.

Regardless of the mechanism you use for authentication, you can use XACML for fine-grained authentication ...

Amila suriarachchi · Answer 2 · 2011-09-19T09:48:46+0000

you can use http basic authentication over https. It allows the reverse application to recognize the user and, therefore, make authorization.

This link [1] shows how I did a similar thing with the WSO2 ESB. But depending on your stack, there might be a way.

[1] http://wso2.org/library/articles/2011/06/securing-web-service-integration

Kent · Answer 3 · 2011-09-19T08:55:07+0000

My need is to be able to control which application calls my network and this application is allowed to be called.

I feel that you need an authorization mechanism on the side of the service provider.

If you do not want to do any encryption in your soap messages, you might consider adding new parameters to soap msg. for example, client sents <applicationId> and <password> (or the encrypted string AppId, PassWord ) as a new parameter for WS, from the side of the WS provider, WS checks whether the application has the right to call.

but this leads to changes in the implementation of Client and Service.

Or you can check the client’s IP address for a request to decide that it is from an application. If your applications have fixed IP addresses.

What is the best way to secure a SOAP web service on an internal private network

More articles: