RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Choose the Right Web Services Security Solution : Page 4

Choosing a web services security solution can be daunting. Here's a guide that examines some of the popular security solutions and assesses each one's strengths and limitations.

Signature-Based Authentication
UsernameToken authentication is appropriate for scenarios where the client identity is user-based, but your web service client may be a server or device that does not directly represent a user. Consider the case of a shipping web service that routes orders to the appropriate shipping provider by examining the order's deliver-by date. Suppose that the client is a message-driven server order application that receives orders from a queue and processes them by calling services such as shipping and billing. In this case, the shipping service's authentication scheme must restrict access to only the order application server instead of specific users.

One method of authenticating server and device clients is using XML-Signature. The client uses a private key to sign the SOAP message while the web service verifies the signature using the corresponding public key. A pair of public/private keys must be generated as discussed in the earlier encryption example. A keystore normally stores the X509 certificate containing the server's public key. Figure 2 illustrates the signature-based authentication sequence.

Click to enlarge

Figure 2. Signature-Based Authentication Sequence

Configuring the web service for XML-Signature is again server specific, so please refer to your server's documentation. (This article describes the steps for WebSphere configuration.)

Adding signatures to the client requires configuring a WSS4J handler in the same manner as encryption. You can add the code for the handler in the configureClientHandlers method introduced earlier:

private static void configureClientHandlers(Object svc) {
   Client client=Client.getInstance(svc);

   client.addOutHandler(new DOMOutHandler());

   // Add WSS4J signature Handler
   Properties sigProps = new Properties();
   client.addOutHandler(new WSS4JOutHandler(sigProps));	

The configureClientHandlers method calls configureSignature to specify the handler's signature properties. The properties include the parts of the message to be signed, the location of the signature property file, and the method for specifying the signature in the SOAP header:

    protected static void configureSignature(Properties config)
        // Signature Action
        config.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE );
        // Method of specifying the signature in the header
        config.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
        // Signature Property File Location
        config.setProperty(WSHandlerConstants.SIG_PROP_FILE, "com/dev/ws/client/driver/outsecurity_sig.properties");
        // Sign the Body part of the message
        String bodyPart = "{Content}{}Body";

The signature property file outsecurity_sig.properties specifies the location of the keystore, its password, and the alias of the signer:


Running the calculator example with signature enabled produces the following SOAP message:

<soap:Envelope ...>
      <wsse:Security ...>
         <ds:Signature ...>
            <ds:SignatureValue ...>
   <soap:Body ...>

Notice that the SOAP header now includes a SignatureValue element that contains the signature. The server uses this signature to verify the authenticity of the SOAP message.

Signature-based authentication is an effective method for securing services whose clients are other servers and devices. Signatures also address the security needs of applications that require legal proof of authentication for every service transaction. The need to manage certificates for both clients and servers increases the maintenance overhead and must be considered in the planning phase. You should also be aware that this scheme does not tie into the J2EE authorization model and therefore is limited to addressing authentication requirements.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date