16

I am writing a Spring Restful Web Services Project. I need to write secure Web Services. For Security I am already using Spring Security+SSL, however now i need some security for encryption and message signing. I know how to encrypt the message from code, however i am looking for a mechanism to enable automatic encryption/decryption and message signing.

I have been searching for different alternatives for security including spring WSS and others but most of them are for SOAP. Could some one suggest me some better security mechanism and a link for the same.

bluefoot
  • 10,220
  • 11
  • 43
  • 56
Rahul Taneja
  • 417
  • 1
  • 8
  • 18
  • 6
    Perhaps I am missing something, but what is wrong with using SSL? This will encrypt the transmission of request/response to webservices between server and client. – maple_shaft Dec 16 '11 at 12:55
  • thanks maple, you are right with SSL. However, is there anything else in security, which you may suggest me to make it a more secure web service. – Rahul Taneja Dec 17 '11 at 05:44

2 Answers2

7

There are multiple ways to secure your restful webservices, unfortunately there are many links which provides information to secure a soap web services, but as restful gaining popularity, it is of utmost necessity to find a way to secure and to find a way to manage sessions of your restful web service. So to secure my Spring MVC with restful support, You need to atleast consider for three Aspect

1) Authentication. -- For Authentication Spring Security can be used.
2) Authorization. -- For Authorizing a request OAuth can be used.
3) Securing the communication. -- SSL can be used to secure the communication channel.
4) Encryption -- Again Oauth can solve the purpose
5) Message Signing. -- Again Oauth can solve the purpose

So , to secure a restful webservice spring security + OAuth can be used. The other security mechanisms which can be used are Http Basic Security and Digest Security.

Here is a very good example securing a spring restful webservice with spring security: http://java.dzone.com/articles/securing-restful-web-service

Also to use spring security in conjunction with OAuth you can follow this tutorial:

Spring security with OAuth

Piyush-Ask Any Difference
  • 4,294
  • 5
  • 46
  • 92
Rahul Taneja
  • 417
  • 1
  • 8
  • 18
4

You basically have two patterns for REST security:

  1. Encrypt and sign requests/responses at the application level and run over HTTP. This involves a significant amount of work as you need to canonicalize all data before signing and ensure the client/server follows exactly the same process. This approach was adopted in early versions of the amazon web service protocols.

  2. Use SSL (possibly with client certificates). This is the preferred approach as there is no need to reinvent the wheel. SSL accelerators are available and performance will be significantly better than handling encryption and signing in your code.

Amazon have now moved to using SSL and you should do the same. This article gives a good comparison of the two approaches.

REST vs SOAP

You referred to SOAP and WS-Security which defines a protocol for encryption and signing at message (rather than transport) level. The reason WS-Security defines such a protocol is to provide end-to-end confidentiality, integrity and authenticity over a brokered SOA architecture. For example you may send a SOAP message from Service A to Service B which goes via C D and E. SSL/TLS works at a transport level and would therefore only protect the message between A and B. However REST is not intended for a brokered architecture so this approach is not applicable in your case.

  • thanks toby but I was looking for a complete security package. – Rahul Taneja Mar 15 '12 at 18:40
  • 1
    There's no such thing as a "complete security package", you need to assess the vulnerabilities in your own application. You then need to do a risk assessment to establish whether you are prepared to accept the risk or put measures in place to mitigate them. No package can do this for you –  Apr 24 '12 at 16:46