[Webappsec] Java Frameworks for Secured Web Services

marcandre.laverdiere at tcs.com marcandre.laverdiere at tcs.com
Mon Dec 24 07:10:12 EST 2007 

Hello,

Thanks for this idea. I need to look more at the classes, which is a 
problem with our firewall configuration. Any publicly-available 
javadoc/code samples?

 I need to think about how fine-grained our checks need to be, as this 
might not offer the granularity desired. Any experience to share on this 
question?

So, in the case of my application, that means that I need to code the 
wrapper, put an interceptor in the J2EE configuration that will execute 
it. On the client side, I change the code that calls the web service, and 
to add login/account management screens. Am I missing anything?

It is definitely a job where I would need to code the whole thing. I'll 
have to come up with an estimate. Any standard metrics that I can use, so 
that I don't guess-timate?

Also, one question... "This release is the first public release and will 
undoubtably undergo significant revision over the coming months." So, how 
stable do you foresee it to be? I can't afford to recode my entire 
security layer every season :)

Enjoy your holidays. Regards,

Marc-Andre Laverdiere-Papineau
Tata Consultancy Services
Yantra Park -(STPI)
2nd Pokharan Road,
Opp HRD Voltas Center,Subash Nagar
Thane - 400 601,Maharashtra
India
Mailto: marcandre.laverdiere at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Outsourcing
____________________________________________

webappsec-bounces at lists.owasp.org wrote on 12/21/2007 08:55:27 AM:

> I agree with Stephen on staying with security features already in your
> framework.  However, if there are no such features available, you'll 
have to
> find a way to add them.  Here are a few options.
> 
> You could use container security for URL level authentication and access
> control. You'll need to configure roles in web.xml and then add 
constraints
> to your services.  Or you can do checks programmatically with 
isUserInRole,
> etc... I'm not crazy about this approach, and you'll still need to do a 
lot
> of work to implement validation, logging, crypto, etc...
> 
> I suggest you look at the OWASP ESAPI project 
(http://www.owasp.org/esapi).
> It was primarily designed for traditional web applications, but 90% of 
the
> methods or more are applicable to web services. It's got support for 
most
> everything you'll need in your web services.  All you have to do is 
invoke
> it.  Using a Java EE filter in front of your web services might be one 
way
> to layer on security with ESAPI.
> 
> --Jeff
> 
> -----Original Message-----
> From: webappsec-bounces at lists.owasp.org
> [mailto:webappsec-bounces at lists.owasp.org] On Behalf Of Stephen de Vries
> Sent: Thursday, December 20, 2007 5:47 AM
> To: marcandre.laverdiere at tcs.com
> Cc: webappsec @OWASP
> Subject: Re: [Webappsec] Java Frameworks for Secured Web Services
> 
> 
> Hi,
> 
> > On 12/20/07, marcandre.laverdiere at tcs.com 
<marcandre.laverdiere at tcs.com 
> > > wrote:
> >>
> >> Hello,
> >>
> >> I'm a 'traditional' security guy, and I'm having the chance of being
> >> involved in a project that uses a lot of Web technologies, all 
> >> coded in
> >> Java. So, I'm out of my comfort zone in my own domain of expertise. 
> >> Yay.
> >>
> >>
> >> This project has already a pretty big codebase, developped without 
> >> security
> >> in mind, and I need to make proposals to change that.
> >>
> >> We have a web application that communicates to a server via web 
> >> services. I
> >> have a good idea on how to make the application safer, and putting
> >> authentication/authorization there seems doable. There are nice 
> >> libraries I
> >> can use (such as HDIV) that will make it easy to deal with a lot of
> >> problems.
> 
> The application architects have already chosen to work with a certain 
> set of frameworks, so I'd recommend finding out what those frameworks 
> are, and then researching the security features offered by them.  If 
> they don't offer the services you require, then you could consider 
> using a security specific framework.  The important thing IMO is to 
> work closely with the architects and developers, as they'll be the 
> ones implementing the security functionality.
> 
> >>
> >> For the web service side of things, I feel like my brain wants to 
> >> melt. The
> >> OWASP document talks about those standards that leave me 
> >> breathless. Are
> >> there any platforms/middleware/libraries that I can use to secure 
> >> this
> >> thing? Can I implement some wrapper around the existing WS calls 
> >> that would
> >> have all the security (including access control) done, keeping the 
> >> existing
> >> code mostly untouched?
> 
> As above, first find out which frameworks were used to implement the 
> web services layer.  The framework itself almost certainly has it's 
> own access control facilities built in.
> 
> regards,
> Stephen
> 
> 
> >>
> >> =====-----=====-----=====
> >> Notice: The information contained in this e-mail
> >> message and/or attachments to it may contain
> >> confidential or privileged information. If you are
> >> not the intended recipient, any dissemination, use,
> >> review, distribution, printing or copying of the
> >> information contained in this e-mail message
> >> and/or attachments to it are strictly prohibited. If
> >> you have received this communication in error,
> >> please notify us by reply e-mail or telephone and
> >> immediately and permanently delete the message
> >> and any attachments. Thank you
> >>
> >>
> >>
> >> _______________________________________________
> >> Webappsec mailing list
> >> Webappsec at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/webappsec
> >>
> > _______________________________________________
> > Webappsec mailing list
> > Webappsec at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/webappsec
> 
> _______________________________________________
> Webappsec mailing list
> Webappsec at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/webappsec
> 
> 
> _______________________________________________
> Webappsec mailing list
> Webappsec at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/webappsec

> ForwardSourceID:NT00003246 
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/webappsec/attachments/20071224/3d106a29/attachment.html

More information about the Webappsec mailing list