Novell exteNd Web Services SDK depends on the existing security functionality in the deployed environment for providing secure web service invocations.On the server side, the support for SSL and authentication comes from the Servlet container. On the client side, support of HTTP Authentication for Basic, Digest and NTLM is included. SSL is supported either using the built-in "https" URL handler, or using the SSL handler from JDK 1.4.
Basic Authentication
The Basic Authentication scheme sends the username and password as a base64 encoded text message. This scheme is the least secure. Basic Authentication is the default form of authenticatation when a username and password has been specified in the stub configuration.Digest Authentication
The Digest Authentication scheme sends the hashed username and password with a nonce value provided by the server. The hash value is somewhat more difficult to break - hence this scheme is more secure than Basic Authentication, but suffers from the drawbacks of password oriented security. To use Digest Authentication, you must also set the username and password properties on the stub and additionally specify that digest should be used.NTLM Authentication
The NTLM Authentication scheme is similar to Digest Authentication. It is a proprietory protocol from Microsoft, hence servers providing security using this protocol will be limited. In the NTLM protocol, the server first responds with a 401 HTTP error code requiring the client to authenticate using NTLM. The client then responds with a special authentication header. The server again responds with a 401 HTTP error code and a challenge. The client ultimately reponds to the challenge and if the provided credentials are correct, access to the ressource in question will be granted.
Basic and Digest Authentication
A Web Service implementation can be made secure by deploying the service Servlet with a deployment descriptor that describes the required protection and access control. Some of the relevant Servlet deployment descriptor elements include realm-name, auth-constraint, role-name, and transport-guarantee.The deployment descriptor block below shows how to enable Basic Authentication for a web resource in a J2EE container. Enabling Digest Authentication is the same except the auth-method element's content is DIGEST instead of BASIC.
... <security-role>
<role-name>manager</role-name>
</security-role><security-constraint>
<web-resource-collection>
<web-resource-name>mywebservice</web-resource-name>
<url-pattern>/quotes</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<description>Quote Servcie</description>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint><login-config>
<auth-method>BASIC</auth-method>
<realm-name>acme.com</realm-name>
</login-config>...
NTLM Authentication
The NTLM Authentication is done by the IIS server and can be enabled by editing the Directory Security settings of the Web Server. Please consult Microsoft's IIS documentation for additional details.
Novell exteNd Web Services SDK provides user name/password based client authentication using the Basic, Digest and NTLM Authentication mechanisms. All the schemes can be specified using properties on the Stub. Public key based client authentication, integrity, and confidentiality is supported via SSL.Basic Authentication
The Basic Authentication using user name and password can be specified on the Stub using the AUTH_SCHEME, USERNAME and PASSWORD properties respectively. For example:
StockService service = (StockService) ctx.lookup("xmlrpc:soap:StockService");
StockQuote stub = service.getStockQuotePort();
stub._setProperty(stub.AUTH_SCHEME, stub.BASIC_AUTH_SCHEME);
stub._setProperty(stub.USERNAME, username);
stub._setProperty(stub.PASSWORD, password);
float quote = stub.getQuote("SSSW");Please refer to the documentation of the stub properties in the com.sssw.jbroker.web.portable.Stub class.
Digest Authentication
The Digest Authenticationis is specified in the similar manner to Basic Authenticationis, except that the AUTH_SCHEME property is set to DIGEST_AUTH_SCHEME. As mentioned above, these property constants are defined in the stub class.NTLM Authentication
The NTLM Authentication is also specified similar to Basic Authentication, as shown below:
StockService service = (StockService) ctx.lookup("xmlrpc:soap:StockService");
StockQuote stub = service.getStockQuotePort();
stub._setProperty(stub.AUTH_SCHEME, stub.NTLM_AUTH_SCHEME);
stub._setProperty(stub.USERNAME, username);
stub._setProperty(stub.PASSWORD, password);
stub._setProperty(stub.NTLM_HOST, host);
stub._setProperty(stub.NTLM_DOMAIN, domain);
float quote = stub.getQuote("SSSW");If you are using NTLM on JDK 1.3, you need to include a cryptography provider such as JCE in your CLASSPATH. The cryptography libraries are built into JDK 1.4. If you wish to use a different cryptography provider, specify the jbroker.web.security.provider system property.
Though NTLM is a bit more secure than Digest, it takes one more HTTP request than Digest to authenticate. None of the username/password based authentication protocols provide features such as Confidentiality, Integrity and Verifiable Identity. For those features, please see SSL and XML Signature.
SSL is a protocol for secure communication between Client and Server using TCP/IP. Using SSL you can not only secure the SOAP messages from third parties, but also you can verify the integrity of the message and sender's identity. Novell exteNd Web Services SDK has full support for accessing SSL protected URL's. The Novell exteNd WSSDK allows client to configure a good number of SSL properties including client Certificates. Please look at SSLHello example to see how to set SSL properties for the client. In order to use Novell exteNd WSSDK's built-in SSL support, you must include the wssdk-ssl.jar file in your CLASSPATH.XML Signature
XML Signature is a specification from W3C. It describes how to digitally sign SOAP messges. Digital Signatures allow electronic documents to be authentic. Similar to SSL you can be sure of identity and integrity of the message you receive. You can verify the identity of the entity who sent the message and authenticate the entity. Also, you can verify the integrity of the message so that the message is not tampered by the third party in the middle. Novell exteNd Web Services SDK has full support for digitally signing SOAP messages. Developer can sign outgoing SOAP message and/or validate the incoming one. Specific properties should be set on Stub/Skeleton to set up signing and/or validation. Once setup, every SOAP message generated from the Stub/Skeleton will be a signed SOAP message and/or every incoming message into the Stub/Skeleton will be validated. Please see signature example for more details.