We have several internal web applications/services in our company which can only be accessed from LAN. Now, we have a public web portal hosted in Internet, and this portal needs to be access some internal services.
To meet this requirement, I plan to use Apache Camel in a ServerMix to route the requests from web portal to local web services.
The exposed endpoints will use Jetty(HTTP) or CXF protocol. As you can see, we must secure those endpoints, since they will also be exposed on Internet.
I read through the Camel website, camel support Shiro security for authentication and authorization. However, I think Shiro is too heavy in our scenario. Because we only have one web portal to be authenticated. And Shiro will to encrypt payload, that means the username and password will be transported in plain text.
So I consider to use HTTPS, but I am new to HTTPS. How HTTPS authenticate request application? Should I use 2-way HTTPS?
Please clear me out here, an example will be very helpful. Thanks.
Read through this section, it would explain how you can have a secure cxf endpoint:
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.0/html/Security_Guide/files/CamelCXF.html
If you didn't manage to create your secure endpoint, let me know and I'll create an example for you.
Related
A client of mine has a bunch of APIs in CloudHub that communicate with two APIs on premise in their runtime. The question I get asked, to which I don't really know the answer, is how to secure the communication between the APIs on CloudHub and on premise without using API Manager (since the client preferred not to pay for it) ? I thought of a middleware (middleware inception) that hashes the messages from one end to another, is this a viable idea? What could the best answer be?
The server applications should implement some basic security best practices like authentication and encryption.
Having applications deployed in any cloud environment without security is a big security risk. I assume that there is a secure link between the CloudHub environment and their on premise environment, like a VPN, but even so this architecture would not probably pass a security audit.
They should implement authentication using HTTP Basic authentication or OAuth 2. These are the most common authentication schemas used for REST APIs. Note that credentials go in clear text so they should also implement encryption.
To encrypt the traffic the server applications should use TLS, ie HTTPS connections instead of plain HTTP.
Optionally you could also implement mutual TLS authentication, requiring the client to have a valid certificate that the HTTPS server validates.
Hashing message could be an additional level of security, but that implies changing the applications logic to implement some custom security. The effort should be better put into implementing standard security practices as mentioned. If after that you want to add it feel free to do so.
You have not shared details of the technology of the on prem applications. Mule applications can implement both the client and server side of any of these methods. Read the documentation for details:
https://docs.mulesoft.com/http-connector/1.7/http-authentication
https://docs.mulesoft.com/mule-runtime/4.4/tls-configuration
https://help.mulesoft.com/s/article/Tutorial-how-to-create-a-simple-Mule-4-http-basic-authentication-application
I'm trying to create a web application that uses a Web API to perform database operations. I've created a project at work that uses Windows Authentication on the API Level. Since this is an intranet web application I don't need to implement a login mechanism on the web application. However, this project I'm working on can be private or public web application and I would like to implement a login mechanism but I would like to be able to specify what type of security to use i.e. LDAP, generic username/password, Google, Facebook, etc.
The question is, what is the best strategy to implement security on both Web Application and Web Api. For Web Api, I could probably implement some soft of token mechanism like other Apis. But not sure if there are other ways.
Is Sign-in option like Google, Facebook, etc done on the Front-end side? or can I Implement it on the WebApi side?
The best practice on this case,
Web Application: client certificate authentication or username/password
Web API: JWT
or if the target company uses G suits with the company domain, Google will be okay.
You can set a filter using domain name of the email address.
is there a way to block REST API calls to a non authorized client?
is there a way to make the API "limited" to (public for) only small number of well defined clients?
thanks :-)
You can deploy mutually-authenticated SSL between your clients and your server. You can use self-signed certificates here so you don't need to buy any from a CA. This will ensure that your server only accepts requests from clients that have the client-side certificate (configure your server to only accept the self-signed client certificates deployed on your clients for client authentication).
If you are using RESTFul HTTP
you can add an HttpServletFilter to your web.xml which prevents unauthorized clients from accessing your REST Methods.
See
Securing JAX-RS and RESTeasy
If you use the Spring Framework you and you don't want to implement your own HttServletFilter you can use Spring Security
You just need to implement security mechanisms in your RESTful Service, so it denies access to unauthorized clients (with a 404 or 401 response code). There are several ways to achieve this:
Relay on HTTP authentication mechanisms, like Basic Authentication
Implement a Custom Authentication framework, that overcomes HTTP Basic Authentication limitations. Amazon has an interesting approach that includes custom HTTP headers and supports hashing.
Use an existing security framework and add its capabilities to your service. Spring Security sounds like a great option.
Is it possible to use SSL one one of the servlet-mappings in web.xml?
I have a site using GWT for browser access and mobile phones accessing the gae via simple HttpServletRequest in servlets.
The setup:
Browser GWT Access
For the site, the user log in via Google Account or Facebook. Then the user interacts with the site - no SSL setup here as I am using Google App Domain.
I guess the communication regarding user and password is safe in this senario with tokens etc. right?
Mobile Access
The user interacts with the Google App Engine(Java) from Mobile phones - the user and password is passed along each call. This I need to be SSL and safe.
I have seen thinks like this: using https sparingly in my GAEJ app
But I am not using RPC from the mobile access.
Any thoughts on this - Thanks in advance
Regards
Therefore I am thinking SSL on the Google Ap Engine, but is it posible in my scenario
Yes, it is possible to use ssl with appengine but you have to use the *.appspot.com domain, not your own domain name.
See the following link for information about securing specific urls in appengine in web.xml
http://code.google.com/appengine/docs/java/config/webxml.html#Secure_URLs
hth
I'm interested to know what methods people use to secure their webservices from unauthorized web service consumers.
There is a protocol specifically for web services security WS-Security. I've used parts of it in the past but at the time there was not a lot of support for it in .Net so it was a lot of work.
Currently with .Net I use SOAP Extension Headers. I have one web service call to authenticate and get a session token and then include that token in a SOAP header for every subsequent call, somewhat similar to this example. Of course all the request must travel over TLS to keep them from being compromised.
I usually require either a user id/password to be sent each time, or return a token from the first authenticated connection that can be used subsequently.
Nothing fancy. Pretty similar to standard web app login.
I've used both SOAP headers and method parameters to pass user credentials -- .NET makes using the SOAP headers pretty easy, but I had issues with this using Java (several months back). I also do some IP-based filtering if the service is not intended for client (browser) use, but rather from backend web servers. Public, browser consumable web services are often protected by session cookies -- i.e, requires a valid logon to the web site, then the standard session authentication mechanism is used for requests via AJAX to web services.
You can use network appliances such as IBM's DataPower or Vordel if you don't want to handle in your own application.