Securing application in real world Web service development

Securing application in real world Web service development

When we talk about security in general or in web services there are four areas that needs to be addressed they are authentication confidentiality integrity and non-repudiation let’s take a look at each of these with a use case of online shopping let’s say we are building a ecommerce application called amat where the customer touches something and he makes a payment and he makes a payment or he mark will call in to the bank’s payment gateway web service and it does that the bank will ask emod to provide authentication information which is username and password usually otherwise any hacker a friendly neighborhood hacker can hack into the bank’s payment gateway the process of exchanging username and password and making sure that it is really the e-mart application that is accessing the bank’s payment gateway is called authentication and only then the bank will respond in the WS security standard there are three ways to do authentication using username token profile x.509 certificates and sam’l sam’l is used for single sign-on that is within our organisation if we have multiple web service provider applications and we want our clients to log into one of the application and he will be able to access any other web service application or provider without logging in again we can do that using sam’l second is very important aspect confidentiality when we exchange soap messages it could be credit card information or social security number or any other sensitive information

We do not want the hackers or the Pirates of the web to access that data and make their own payments that is where confidentiality comes in in ws-security we will make sure that even if the hacker finds out that message will not be able to make sense out of it by using WS Security’s encryption and decryption that is on the client side when the message is sent we encrypt it on the server will decrypt it and on the other way back will encrypt the response on the client-side will decrypt it he will work hands-on on all that later on third is integrity of the message this is where we ensure that the message that is sent by the client application is exactly the same message that is received by the server application and no other hacker who likes to add random stuff will add stuff to our message which can crash our server-side application when it is run he can add scripts that when run can crash our database or the application server

we make sure we provide integrity using WS security signatures that is when we send the message we’ll calculate a hash value of the message using an algorithm and that hash will be a part of the message that goes to the server on the server side will recalculate the hash and we’ll compare both the hashes that came from the client as well as the hash value that we calculate on the server and they should match if not that means somebody in between has changed the message more on signatures in lectures later on last but not the least non-repudiation which prevents replay attacks that is if a hacker captures our message in between which is properly authenticated encrypted as well as it has the signature he simply gets the message and he replaced that message a million times in the next five minutes to crash our application ws-security provides timestamp to not do replay attacks or to stop replay attacks from happening you are going to implement all these in the next few lectures username token profile to authenticate encryption and decryption using public keys and private keys integrity using signatures and finally you’ll use the timestamp to prevent replay attacks

Leave a Reply

Your email address will not be published. Required fields are marked *