[Webappsec] Java Frameworks for Secured Web Services

Jeff Williams jeff.williams at owasp.org
Thu Dec 20 22:25:27 EST 2007 

I agree with Stephen on staying with security features already in your
framework.  However, if there are no such features available, you'll have to
find a way to add them.  Here are a few options.

You could use container security for URL level authentication and access
control. You'll need to configure roles in web.xml and then add constraints
to your services.  Or you can do checks programmatically with isUserInRole,
etc... I'm not crazy about this approach, and you'll still need to do a lot
of work to implement validation, logging, crypto, etc...

I suggest you look at the OWASP ESAPI project (http://www.owasp.org/esapi).
It was primarily designed for traditional web applications, but 90% of the
methods or more are applicable to web services. It's got support for most
everything you'll need in your web services.  All you have to do is invoke
it.  Using a Java EE filter in front of your web services might be one way
to layer on security with ESAPI.

--Jeff

-----Original Message-----
From: webappsec-bounces at lists.owasp.org
[mailto:webappsec-bounces at lists.owasp.org] On Behalf Of Stephen de Vries
Sent: Thursday, December 20, 2007 5:47 AM
To: marcandre.laverdiere at tcs.com
Cc: webappsec @OWASP
Subject: Re: [Webappsec] Java Frameworks for Secured Web Services


Hi,

> On 12/20/07, marcandre.laverdiere at tcs.com <marcandre.laverdiere at tcs.com 
> > wrote:
>>
>> Hello,
>>
>> I'm a 'traditional' security guy, and I'm having the chance of being
>> involved in a project that uses a lot of Web technologies, all  
>> coded in
>> Java. So, I'm out of my comfort zone in my own domain of expertise.  
>> Yay.
>>
>>
>> This project has already a pretty big codebase, developped without  
>> security
>> in mind, and I need to make proposals to change that.
>>
>> We have a web application that communicates to a server via web  
>> services. I
>> have a good idea on how to make the application safer, and putting
>> authentication/authorization there seems doable. There are nice  
>> libraries I
>> can use (such as HDIV) that will make it easy to deal with a lot of
>> problems.

The application architects have already chosen to work with a certain  
set of frameworks, so I'd recommend finding out what those frameworks  
are, and then researching the security features offered by them.  If  
they don't offer the services you require, then you could consider  
using a security specific framework.  The important thing IMO is to  
work closely with the architects and developers, as they'll be the  
ones implementing the security functionality.

>>
>> For the web service side of things, I feel like my brain wants to  
>> melt. The
>> OWASP document talks about those standards that leave me  
>> breathless. Are
>> there any platforms/middleware/libraries that I can use to secure  
>> this
>> thing? Can I implement some wrapper around the existing WS calls  
>> that would
>> have all the security (including access control) done, keeping the  
>> existing
>> code mostly untouched?

As above, first find out which frameworks were used to implement the  
web services layer.  The framework itself almost certainly has it's  
own access control facilities built in.

regards,
Stephen


>>
>> =====-----=====-----=====
>> Notice: The information contained in this e-mail
>> message and/or attachments to it may contain
>> confidential or privileged information. If you are
>> not the intended recipient, any dissemination, use,
>> review, distribution, printing or copying of the
>> information contained in this e-mail message
>> and/or attachments to it are strictly prohibited. If
>> you have received this communication in error,
>> please notify us by reply e-mail or telephone and
>> immediately and permanently delete the message
>> and any attachments. Thank you
>>
>>
>>
>> _______________________________________________
>> Webappsec mailing list
>> Webappsec at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/webappsec
>>
> _______________________________________________
> Webappsec mailing list
> Webappsec at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/webappsec

_______________________________________________
Webappsec mailing list
Webappsec at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/webappsec

More information about the Webappsec mailing list