Skip to main content

WSIT security mechanisms help needed, please!

5 replies [Last post]
markomitrovic
Offline
Joined: 2007-10-03

Hi everyone,
I'm using NetBeans IDE 5.5.1 and Glassfish v2 (b58g) to develop simple web-service based application. For my faculty project (diplomma project, that is) I need to implement some sort of e-gov system with web services with special care of security. I will create one web service for municipality (operations related to citizen services-issuing documents to citizens) and other that will simulate some sort of bank (operations for money transfer from account to account).
Web application containing municipality ws will have ws client for bank ws (which will be in separate web app) in order to realize online payment of municipality services. There will also be third web app with servlets and jsps for user interface, wich will contain ws client for municipal ws.
I installed WSIT plugin for netbeans and went through some tutorials on ws security and it's all pretty simple to set up. But, I have hard time figuring out wich security mechanism to use (mutual sertificates, SAML holder-of-key, SAML sender-vouches etc.). I want both ws provider and ws client to be authorized to each other and SOAP messages to be encrypted (body element), in order to protect sensitive financial data. Can anyone please help me by explaining differences between available sec. mechanisms (and how each of them in fact works, not only what it achieves) or pointing to some site where I can find some sort of clear and concise explaination?
I'm googling for 3 days now and am still stuck, and deadline is approaching fast. Also, I need explaination on how to set my own private/public keys (and certificates) for chosen security mechanism.
Thanks in advance.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
markomitrovic
Offline
Joined: 2007-10-03

Unfortunately, I'm still a bit confused. Suppose I use Mutual Certificates. And I insert servers cert into clients truststore (client being municiality app and server bank ws). Then, when client requests an operation from server (wsp, that is), it sends its cert within SOAP message (in form of X509 token). That client's cert is issued by some CA. If server has CA's cert in its truststore it will be able to confirm that client cert is valid. But that only proves that client's public key is that one from cert it sent.
What if someone else (other than trusted client) sends op request (encrypted with server's public key) and inside it its own x509 certificate, with its own public key in it? If that someone else's cert has been signed by CA to wich server trusts, than that someone else may be able to use servers ops (i.e. make money transfers). That is not what I want. I want only those clients that have authorizattion to be able to make money transfers. Am I getting smth wrong? Is username/password token better (with symetric key)? I want only trusted clients to be able to make transfers, and only bank server to be able to send confirmation messages (soap responses) to those clients.

Message was edited by: markomitrovic

kumarjayanti
Offline
Joined: 2003-12-10

We do allow custom certificate authentication where you can check if the certificate belongs to someone authorized to perform the operation.

1. The current option in GlassFish is to access the cert of the client within the EndPoint Implementation and do the authorization checks.
2. We do support custom certificate Validator when running on Non-GlassFish containers
3. For GlassFish and other container's in future we are currently implementing a Token PostValidation hook that allows developers to specify a JSR 196 Authentication Module where the developers can do additional checks on tokens/certificates besides the default trusted CA validation.

Alternatively you can use Username Authentication with Symmetric keys as well if that works for you. Again in that profile the client is implicitly trusting the server (because it would need to have the server's cert in its client truststore, this cert would be used to encrypt information for the server).

Thanks.

smjain1
Offline
Joined: 2007-10-04

Hi Jayanti,
My requirement is to have the Web service authenticated using a SSO . Do i need to go for STS based security or any other mechanism.
Regards
Shashank

kumarjayanti
Offline
Joined: 2003-12-10

Hi,

A brief description of the mechanisms can be found at the end of the article in this link :

http://www.netbeans.org/kb/60/websvc/wsit.html

From your description : "I want both ws provider and ws client to be authorized to each other and SOAP messages to be encrypted (body element)"

It appears the "Mutual Certificates Security" Profile would be applicable for this. You may also want to evaluate use of SSL with Client-Authentication enabled (which is also called SSL Mutual Authentication) for your requirement.

So in "Mutual Certificates Security" profile the Server's certificate is used by the client to Encrypt the SOAP Body, the server's certificate needs to be in client truststore apriori indicating that the client trusts the server. Then the Client signs the request and also sends its certificate to the Server. The server would dynamically validate the client certificate to see if it trusts the client. For this validation to work the CA certificate of the client cert needs to be trusted by the server (i.e CA cert should be in server's truststore).

Please post WSIT questions on the Metro forum.

Thank.

markomitrovic
Offline
Joined: 2007-10-03

Thank you for reply. I'll probably use mutual certificates. And will move to Metro forum for further wsit questions.