Saturday, July 29, 2017

Web Services

Web Services are mainly for 2 reasons:

 1. For machine consumption
2. Language/Platform independent application development


According to J2EE spec, following are the categories of Web Services:
a) JAX-WS* :- SOAP based[Earlier JAX-RPC]
b) JAX-RS :- RESTful

 SOAP Based / JAX - WS:
JAX-WS* Specifies various standards of how a communication of messages between source and destination(including intermediaries) to happen in a distributed Enterprise Architecture.

 Theoretical Specification:
WS-Addressing
WS-Policy & WS-Security
WS-Federation
WS-Reliable Messaging
WS-Coordination
WS-Transaction
WS-Remote Portlets

 Technologies in SOAP space: SOAP, XML, WSDL, XSD, JAXB, UDDI, SAAJ & ws-gen, ws-import

 Most Important:-
WS-Addressing: SOAP message travels from a Source to Destination thorugh various intermediate nodes. Intermediaries are also web applications but they only process some part of the SOAP message then forward it to next node in the path. All addressing related intermediaries etc is contained in SOAP XML message as per WS-Addressing.

 WS-Security: This ensures "message layer security" does not depend on Transport Layer(Or Protocol Specific) security. Means, SOAP-XML containing encrypted security information is carried along with the message preventing it from being intercepted by unintended recipients.

 Sample SOAP Request and Response:









at No comments:

Security in J2EE vs Spring Application

There are 3 types of Security in Web Applications:

 1. Transport layer security - TLS
2. Message layer security - SOAP
3. Application layer security :
   a) Container managed in J2EE
   b) Independent of Container in Spring MVC. Handled by AOP.
J2EE
Application layer security is being handled by Containers. Means, web container has the code to verify the security aspects of the request and upon verification lets it to access servlets. Before this request to be dispatched to an EJB Bean, EJB container has the code to verify the requester has sufficient privileges[Authorization]  to access beans and upon verification, ti lets to access the EJB beans to process Business Logic.

 Spring MVC:
In Spring MVC containers dont handled the security mechanism. This will be separately handled by another "Class" as an aspect[AOP]. Containers have no code to verify access related to the requester.

 Spring Security Class/Handler has an XML[just like IOC Container has an XML] configured in web.xml. Spring Security Class has further processes the Authentication/ Authorization of the requester via various Filters/Interceptors chain. Hence, the security mechanism is independent of container. Kind of AOP, the security code can be injected anywhere.
at No comments:

Security in Web Applications

In the context of security in Web Applications, predominantly there are 3 layers:

 1. Message Layer Security
2. Transport layer Security
3. Application Layer Security

 Message Layer Security: Encrypting message[XML] in SOAP request. This can be made possible with SOAP. But not REST.
Consider a message/request travelling from on client to a server. But not that, there will be intermediate nodes in between which might do one or more of intercept, process and forward the message.


SOAP Request Travel Path
The SOAP request contains some encrypted portions, only the intended server can only process and read. No other intermediate server can process. This can be achieved by WS-Security Specification by J2EE.

 Major advantage is that even though TLS is broken, Message(SOAP) cant be decoded by attacker which is another layer of security. Hence, SOAP security is independent of Protocol-Security.

 Transport Layer Security: 
TLS is the successor of SSL. Part of TCP/IP or OSI.
TLS Security
The channel of message communication is encrypted. But if an attacker hack the TLS layer encryption, access to actual message is easy which is not possible in SOAP.

 *How to configure TLS:
At server end, Server.xml config file need to be modified to enable TLS Security.

 Application Layer Security:
The security constraints which imply on the login credentials of the User/Client. This is composed of 
1. Basic Authentication: Login ID and Pwd
2. Authorization: Roles and Privileges mapping
3. SAML and oAuth

 These are coded as part of Web Application's Servlet and other security component
at No comments:

J2EE vs Spring Eco Systems

A comparison of J2EE Standard Application Server and Spring IOC with Web Server:


Spring MVC with TomCat Web server






IBM WebSphere App Server

at No comments:
Labels:
Subscribe to: Posts (Atom)

How J2EE components work together in any Container - Spring or Application Server

In a Spring+Jersey+Hibernate RESTful webapplication, we can spot various J2EE components - JTA, JPA, Java Bean Validation, JSON-B API for B...