Managing Web Services › Web Services Security

Web Services Security

There are important security considerations in deploying web services. The default configuration when using HTTP is insecure, as it is for all information in web service calls sent between the client and the server in plain text over the network using the HTTP protocol. This includes not only application data, such as ticket descriptions and contact names, but also web service session identifiers (SID); and depending upon the web service application login methods used, it may include passwords. Administrators deploying web services are highly encouraged to review this information carefully and to take additional configuration steps at the application and network levels to secure their web service environment.

Important! The default web service configuration used with HTTP is insecure and vulnerable to security threats, which can include password discovery, session fixation, and data spying, among others.

There are three interrelated key security considerations in deploying Web Services:

• What (application level) access authentication schemes should this deployment support?
• What additional networking level security features does this deployment require?
• How will these requirements be enforced through web service configuration options?

The following describes each security feature:

• Web Service Application Level Authentication Schemes—To access Web Services, a web service client application must be authenticated with the web service application. Web Services provides two schemes of access authentication. The first is by username/password, and the other is by Public Key Infrastructure (PKI) technology. Both work with the Access Control and Management component in Web Services, using access policy. Access authentication and access management are the most important security features of Web Services.

  Authentication with username/password methods may be disabled using the following security configuration command:

  disable_user_logon 
  

  Before enabling this option, the administrator needs to determine if each web service client for which an enterprise is requesting Web Services access, can actually provide support for the alternative authentication method, which is the PKI-based login method. The key advantage to the PKI technology is that Web Services client applications do not require maintained system user accounts, that is; the maintenance, storage, and transmission of their passwords.

• Networking Level Security Configuration—In both authentication schemes, username/password and Public Key Infrastructure (PKI), notice that the session identifier returned from the specific login method (as well as all subsequent information), are transmitted in plain text when using HTTP. Furthermore, if the username/password authentication scheme is used, the password is sent unprotected (in plain text) from the web service client application to the Web Services. During product development, the W3C did not have recommended standards for web services security. Subsequently, WS-Security is not used by these Web Services implementations to provide a security context. Instead, point-to-point transport layer security (SSL/TLS) and other network level security mechanisms (for example, IPSec), are recommended to protect the otherwise plain text transmission of the application-level authentication exchange(s), and subsequent session identification and data.

  Important! We recommend using SSL (or https) when deploying Web Services to protect the application-level authentication exchanges and subsequent transmissions of session identification and data.

• Web Service Configuration—To allow administrators to enforce communications protocol-level security at the level of the Web Services application, the following two security configuration commands are supported:

  require_secure_logon
  

  This security feature requires you to use SSL (or https) for calling the Login() and LoginService() methods. This feature also provides a handy method for protecting the username and password, while avoiding the overhead of SSL for the rest of the web services.

  Important! If you use the require_secure_logon command, the Web Services application will not confirm that communications protocol-level security is enforced for methods other than Login() and LoginService(). Unless other precautions are taken, the other Web Services methods may be invoked insecurely, causing greater vulnerability to security threats.

  require_secure_connection
  

  This security feature requires you to use SSL to access any part of the web service. If https is required but not used, then a SOAP Fault with code UDS_SECURE_CHANNEL_REQUIRED is returned.

  Note: For information about how to configure SSL, see your J2EE Servlet Container documentation.