What is the best way to secure SOAP web service on

2019-06-27 02:35发布

问题:

Today's there is more and more web services developed for internal use to connect applications together. We do not have an ESB to control and secure this web services so I guess on what is a good way to secure them.

We have try to setup Two-Way SSL but we are not able to control the authorization on a particular web service.

My need is to be able to control which application is calling my web service and is this application authorized to call it.

I don't like WS-Trust and Ws-Security because this alter the original SOAP message but it seems that they are no other solution.

Any idea?

Thanks

回答1:

In your question you mention that you do not want to modify the current SOAP message - that means message level security is out.

So you need to go ahead with transport level security.

Even with two way SSL you wil be able to authorize users based on the thumbprint of the user certificate - how to do that depends on the stack you use.

Other option are..

  1. Basic Authentication over HTTPS
  2. 2-legged OAuth

The difference is, 2-legged oauth supports non-repudiation while basic auth does not.

Irrespective of the mechanism you use to authenticate, you can use XACML for fine grained authorization...



回答2:

you can use the http basic authentication over https. It lets back end application to know the user and hence possible to do authorization.

This link[1] shows how I have done a similar thing with WSO2 ESB. But depending on your stack there may be a way.

[1] http://wso2.org/library/articles/2011/06/securing-web-service-integration



回答3:

My need is to be able to control which application is calling my web service and is this application authorized to call it.

i feel that what you want is an authorization mechanism at your Service provider side.

if you do not want to do any encryption on your soap messages, you may consider to add new parameters to soap msg. e.g. client sents <applicationId> and <password> (or an encrypted AppId, PassWord string ) as new parameter to WS, at the WS provider side, WS checks if the application has right to call.

but this brings the changes to Client and Service implementation.

Or you could check the client IP of the request, to decide that it is from which application. If your applications have fixed Ip Addresses.