A Proxy-Based Approach To Secure Web Services
The proxy Web service uses Web services handlers to intercept XML messages used in Web services. It contains two major components, namely:
- Authentication handler
- Proxy client
Needless to say, the authentication handler is realized by using a Web service handler and the proxy client is the back-end component. The two components are packaged into a single Web service. While the authentication handler authenticates the client, the proxy client invokes the actual Web service.
On the server side, the authentication handler acts as an XML interceptor, which receives the XML message and the HTTP header parameters, if any. Depending on the type of authentication mechanism needed, the corresponding implementation is invoked to verify the credentials. By providing many hooks, different kinds of implementations for the authentication could be integrated very easily. The Lightweight Directory Access Protocol (LDAP) server can act as an ACL repository, which stores all the clients' profiles.
In the process of authenticating the client, the credentials being sent by the clients can be verified against the credentials stored in the ACL repository. If they are found to be matching, the user is authenticated successfully. Otherwise, the authentication process is a failure and the handler will send the failure message to the end client. In the case of successful authentication, the proxy client invokes the actual Web service by constructing a new SOAP message and sending it to the server hosting the actual Web service.
As far as the end client is concerned, he/she gets the response from the proxy Web service and the whole logic of authentication and actual service invocation is abstracted out. The other advantages of this new proxy approach over other products are as follows:
- Lightweight framework
- Low cost
- Easy to integrate
- Quick to deploy
Note: The response flow is not shown in this figure. The actual Web service responds to the proxy client, and the proxy client will send the response back to the end client.
This article has discussed Web services and the security issues involved in using Web services. It also briefed you about the various solutions available and how the proxy-based approach can be very useful for securing Web services.
- http://www.Web services.org
About the Authors
Rajesh Devadas holds a Master's degree in Computer Applications from MK University, India. He has been working as a Technical Lead for Hewlett-Packard, Bangalore with more than 10 years of domain experience in e-commerce, telecom, and mobile. He is currently involved in designing and developing mobile Web services infrastructure and solutions. He can be reached at Rajesh.Devadas@hp.com or firstname.lastname@example.org.
Ayyappan Gandhirajan holds a Bachelor's degree in Electronics & Communication Engineering from MK University, India. He has been working as a Senior Software Engineer for Hewlett-Packard, Bangalore with more than five years of industry experience involving Web services and J2EE technologies. He is currently involved in Web services orchestration and developing access controllers for Web services. He can be reached at email@example.com or G_Ayyapparaj@yahoo.com.
Page 2 of 2