How to go about web service security in Java

Does anyone have a recommendation about web service security architecture in Java (preferably under JBoss)? Any recommended reading?

I want to expose a fairly rich web service to the world but the data are sensitive and it requires authentication from the current client (Flex), accessed via RPC. I definitely do not want any server-side session state.

What's the best way to go about implementing security through web services in Java/JBoss and where can I read about it?

Asked by: Adrian992 | Posted: 21-01-2022

Answer 1

You could try:

SOA Security

Answered by: Brianna162 | Posted: 22-02-2022

Answer 2

For web services security in JBoss, I would start by reading 8.4 WS-Security of the JBossWS User Guide.

Answered by: Oliver793 | Posted: 22-02-2022

Answer 3

WSSE is simple and works well.

Answered by: Justin576 | Posted: 22-02-2022

Similar questions

security - Have Java Web Service execute under different context

We have a Java 1.4 web service running on AIX 5. We want to have the web service methods execute under the context of the caller, not the hosting web server. How would we go about this?

java - Security Service as Proxy

I've been tasked with creating a Security Proxy service. The idea is that if the backend security provider changes there is no impact on the main application. This ideally is what the backend security provider is for, but I have been tasked with creating a seperate service which will affectively be a proxy to the backend security provider. I don't want to have to write a complete security module to do something tha...

java - spring security login with rest web service

My company has a specific authentication provider which is an internal REST web service. In fact, you provide a login/password to the web service and it returns a token (which has a validity of a few hours) which must be given in the header for each next business request to the web service. I need to create a web application and I need to plug it into this authentication provider. What is the best way to integrate ...

java - WCF Service (JSON) and Android client - message security

I have WCF service, that gets and returns JSON data. and Android mobile app, that calls this service. How do I encrypt messages between these two, if possible? If not, how to do custom encryption? Edit: Here is an additional information for server and client sides. The service looks next: Service interface: <S...

java - SOAP web service and Spring Security

I'm trying to secure a SOAP web service with Spring Security 3. This is my configuration: <jee:jndi-lookup id="dataSource" jndi-name="jdbc/myDB" expected-type="javax.sql.DataSource" /> <http authentication-manager-ref="authenticationManager"> <intercept-url pattern="/**" access="ROLE_USER" requires-channel="https" /> <http-basic /> <logout logout-u...

java - JAX-WS web service and spring security

I'm trying to develop web servces for application that is secured with Spring Security. Everything works fine except one thing: my web service should be unsecured and wsdl should be served without any authentication/autorisation. So I've add appropriate intercept-url pattern. However, I cannot get to the wsdl page. I'm being redirected to the login page. After passing good login/password I can get to wsdl, but without them...

java - WS Security Error: 181001 while trying to access to a web service through Apache CXF

I have successfuly generated Java classes using wsdl2java. Now I am trying to build a client for accessing the web service. I am using Apache CXF for that. On trying to connect, I get the following error: Exception in thread "main" WS Security Error : 181001 at org.apache.cxf.jaxws.JaxWsClientProxy.invoke( at $Proxy36.getCustomerOp(Unkn...

java - Unable to invoke web service with security

I have crated a CXF JAXWS Service as below. I have provided a custom UserNameToken validator and a callback handler. But this is not working. It throws an error everytime. <http:inbound-endpoint address="http://localhost:8080/HelloService" exchange-pattern="request-response"> <cxf:jaxws-service serviceClass="com.example.service.HelloServiceImpl" > <cxf:ws-security>...

java - Access Spring MVC Service From Spring Security

I'm using Spring 3 and trying to populate the authorities of a Spring Security Authentication bean from the database after a user logs in. I have a service that's used for accessing the database like @Service public class UserService { public User getUser(String username){...} } Normally, I can @Autowire this service, but be...

java - Apache CXF web service security issue with wss4j

I have created Apache CXF 2.7 web service using Dynamic web project in eclipse juno. Then i have tried to access the service class through java application. Actually followed this tutorial to done the sa...

java - Jar security

I have a standalone Java app that has some licensing code that I want to secure, i.e., prevent users from changing my software to circumvent the licensing. What is the best way to do this? I've looked at obfuscation, but that entails all sorts of problems: reflection, serialization, messed-up stack traces, etc. Perhaps jar signing could be a solution? But how do I verify the jar at runtime? And how do I ensur...

java - What security features are available in Struts?

I am tasked with developing a web application and am thinking of using the Struts framework as it seems to be a standard and is easy to implement. However, before making a decision I need to know the security features available in Struts. Are there effective ways to handle the OWASP Top 10 using Struts? ...

java - Applet hangs in IE during security phase

The applet is in a signed JAR. Last line in console reads: security: Checking if certificate is in Deployment permanent certificate store CPU and memory usage are normal. Other page elements still respond. It's just that the applet is not displayed. There is another applet in the same page but it works. Any ideas? Thread dump follows: Dump thread ...

java - Macbook Security Alarm Task

I intend to put my macbook on my landing/hallway for when the people downstairs come up to rummage through my bedroom/rooms, such that when an intruder is detected a set of scripted events occur, such as a countdown from 10 followed by very loud music, but the existing software is either commercial or insufficient. Im not intending to spend money on this. Given a Macbook or desktop with a webcam. and using java, wh...

How to disable Java security manager?

Is there any way to completely disable Java security manager? I'm experimenting with source code of db4o. It uses reflection to persist objects and it seems that security manager doesn't allow reflection to read and write private or protected fields. My code: public static void main(String[] args) throws IOException { System.out.println("start"); new File( DB_FILE_NAME ).delete(...

security - How best to sanitize input in Java webapp

This question already has answers here:

Update Java security policy at runtime?

Is there a legal way to add/remove permissions to Java security policy at runtime?

java - Issue with IE security on page opened from javascript

I have a Java web application running in JBOSS with Tomcat with two web applications (contexts) running on it. A button press on one of the applications opens runs a javascript command to open a new window with a page from the other. The problem I seem to be having is that this raises a security alert in IE. with the following message:

security - Restrict Certain Java Code in a Plug-in

I am creating an application which uses the Java Plugin Framework to load plug-ins and integrate them into the program. My question is: Is there any way to restrict certain operations (such as starting a new process) in the plug-ins? What I have in mind is something like Java WebStart, i.e when the application wants to access the FileSytem, the use...

grails - Using Java Domain Objects With Spring Security Plugin

I'm working with a legacy database and corresponding Java Domain Classes. I'm trying to add Spring Security to the app and I'd like to use Java Domain Classes for that too, just to be consistent and keep everything together. Grails has no problem using both POGOs and POJOs, btw. So, starting with a new, empty database and a new empty grails app, I added the Spring Security Plugin (acegi 0.5.1). Then I did:

Still can't find your answer? Check out these amazing Java communities for help...

Java Reddit Community | Java Help Reddit Community | Java Community | Java Discord | Java Programmers (Facebook) | Java developers (Facebook)