Reputation: 613
Webservice Security - what is enough?
I am looking to expose a Web Service which can be called by multiple clients to retrieve transactional data. Each calling client will retrieve a different subset of data.
We are hosting the Webservice in Websphere 7 - the external webservice is essentially a proxy to the real WS running on our ESB platform.
Currently I have the following security in place:
1) WS-Security username/password sent in the header (plantext). This is authenticated against our custom repository (the repository is in-use elsewhere and has been security tested).
2) HTTPS
3) Restricting calling IPs via firewall
4) Payload data is PGP encrypted using the clients public key
Is this secure "enough"? I'm pretty sure the payload data is secure, but I'm not completely sure if the access mechanism is 100% secure? We are using what is built-in to IBM Websphere for #1.
Upvotes: 4
Views: 210
Answers (3)
Reputation: 1350
Is the subset of data which is returned by the service linked to the authenticated client identity, or is the returned set of data determined by a parameter which gets passed in?
Upvotes: 1
Reputation: 11943
Well, as your are using HTTPS you don't have to worry about sending the passwords in plaintext. So as long as your authentication works properly (you say the repo was security tested) this is quite secure.
Additionally you have encrypted payload using PGP, which is really secure - at least as long as all parties handle their keys with the needed care.
--> What you're describing sounds fairly solid to me, especially with the asynchronous encryption of PGP which is basically not attackable (unless you consider social engineering).
Maybe a last thought (but I guess you don't need this advice):
I don't know about Websphere, but in other application servers or ESBs (e.g. JBoss) there are some admin tools activated per default which tend to be freely accessible via the web (just google for /jmx-console ...). Make sure to secure those with passwords or deactivate them if need be.
Upvotes: 4
Reputation: 115388
For me it is more than enough. The only additional thing I can think about is using temporary passwords. See RSA for details.
Upvotes: 1
Related Questions
- Websphere Application Server Secure REST API
- Webservice security
- Simple Webservice Authentication/Authorization not so simple?
- Recommended ways to secure a webservice?
- Security with Web Services in Java
- Secure Java Web Services
- Web Service Security
- Security and authentication in web services
- Webservice security - What is the best option?
- How to go about web service security in Java