November 28, 2014
Hot Topics:

A Proxy-Based Approach To Secure Web Services

  • March 3, 2004
  • By Rajesh Devdass and Ayyappan Gandhirajan
  • Send Email »
  • More Articles »

Framework Explained

The proxy Web service uses Web services handlers to intercept XML messages used in Web services. It contains two major components, namely:

  1. Authentication handler
  2. Proxy client

Needless to say, the authentication handler is realized by using a Web service handler and the proxy client is the back-end component. The two components are packaged into a single Web service. While the authentication handler authenticates the client, the proxy client invokes the actual Web service.

To start with, the end client sends the request to the Web service proxy along with its credentials. The credentials could be either a clear text password or a digital certificate. In case of basic authentication, the credentials (username and password) need to be sent as HTTP header parameters. In the case of advanced authentication, the end client signs the XML message with his/her digital certificate and sends the signed XML message to the server. Now the client has done its job.

On the server side, the authentication handler acts as an XML interceptor, which receives the XML message and the HTTP header parameters, if any. Depending on the type of authentication mechanism needed, the corresponding implementation is invoked to verify the credentials. By providing many hooks, different kinds of implementations for the authentication could be integrated very easily. The Lightweight Directory Access Protocol (LDAP) server can act as an ACL repository, which stores all the clients' profiles.

In the process of authenticating the client, the credentials being sent by the clients can be verified against the credentials stored in the ACL repository. If they are found to be matching, the user is authenticated successfully. Otherwise, the authentication process is a failure and the handler will send the failure message to the end client. In the case of successful authentication, the proxy client invokes the actual Web service by constructing a new SOAP message and sending it to the server hosting the actual Web service.

As far as the end client is concerned, he/she gets the response from the proxy Web service and the whole logic of authentication and actual service invocation is abstracted out. The other advantages of this new proxy approach over other products are as follows:

  • Lightweight framework
  • Low cost
  • Easy to integrate
  • Quick to deploy

Interaction Diagram



Click here for a larger image.

Note: The response flow is not shown in this figure. The actual Web service responds to the proxy client, and the proxy client will send the response back to the end client.

Conclusion

This article has discussed Web services and the security issues involved in using Web services. It also briefed you about the various solutions available and how the proxy-based approach can be very useful for securing Web services.

References

About the Authors

Rajesh Devadas holds a Master's degree in Computer Applications from MK University, India. He has been working as a Technical Lead for Hewlett-Packard, Bangalore with more than 10 years of domain experience in e-commerce, telecom, and mobile. He is currently involved in designing and developing mobile Web services infrastructure and solutions. He can be reached at Rajesh.Devadas@hp.com or rajesh_devadas@hotmail.com.

Ayyappan Gandhirajan holds a Bachelor's degree in Electronics & Communication Engineering from MK University, India. He has been working as a Senior Software Engineer for Hewlett-Packard, Bangalore with more than five years of industry experience involving Web services and J2EE technologies. He is currently involved in Web services orchestration and developing access controllers for Web services. He can be reached at ayyappan.gandhirajan@hp.com or G_Ayyapparaj@yahoo.com.





Page 2 of 2



Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 


Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Sitemap | Contact Us

Rocket Fuel