I am looking to do the following:
Perform a secured mutual authentication connection with the interface server.
Encrypt the SOAP body for all web service requests
Sign all SOAP requests using the client private certificate, before sending the request via this interface.
I am struggling with how to encrypt the SOAP body.
Using Chilkat.Crypt2 I can encrypt the entire file - however this includes the headers and not what is required.
Looking for some guidance please!
Related
I have an web application made using servlet and I have an seperate API for the web application. I want to secure the API with OAuth so that when we use OAuth, a client certificate is sent instead of credentials to the authorization server for verification and after verification the access should be allowed to the API. Is there any ways to implement this authentication. If possible what are the steps should I do to achieve this?
Client certificate credentials can be used for confidential clients, in either the code flow or the client credentials flow. This type of solution is often used in financial grade setups, where high worth data is involved.
Access tokens issued then contain a cnf claim, so that every API call is bound to the strong credential used at the time of authentication. See the RFC8705 standard for further details.
For a worked end-to-end example that you can run locally, and which covers both the
backend and client behaviours, see this Curity code example. Not all authorization servers support these flows, so check for your provider.
I am creating a web site that converts a web page to PDF and download it to the local server.
Can the AuthPassword be hashed to kind of encrypt for security reasons?
You can use token instead of secret. There are two options for getting tokens:
Request new token from convertapi server
Generate token by yourself
More about this you can read here: https://www.convertapi.com/doc/auth
If you are concerned about insecure communication between servers you can use HTTPS and it esures that secret is transferred encrypted.
I'm in the process of writing a client and server for an application and I'm wondering if there are any standard/established HTTP headers that servers can use to:
Communicate new/updated JWT data
Receive the JWT from the client
I'm having a difficult time getting results on this because the term "header" is ambiguous with JWT in an HTTP context.
JWT is really just a format for passing signed and/or encrypted data about. Standard headers would most likely be part of a protocol specification instead.
Examples where JWT is used as part of a specification include Mozilla Persona/BrowserID and OpenID Connect, but in these the tokens are generally transferred as part of Ajax requests or occasionally in a URL fragment (for the OpenID Connect IdToken).
For something like OAuth 2.0 Bearer authentication JWT could be a useful option (and is used in some implementations), but the spec doesn't actually say what the token should be. It could equally well be an opaque value linked to some back-end storage.
So I don't believe there are any standard headers specifically designed to hold JWTs - it would depend on the context in which they were being used.
What is a good way to transfer an authorization key to a server? I'm building an REST-API right now and I'm stuck how the user can authorize on that api. He will get an authorization key (thats not the problem), but what would be a good way to pass this key to the server? As a GET parameter, as an HTTP Header field, as a cookie?
Which way is easy to handle with most of programming languages (e.g. I want to use the API with php or ajax..)
i suggest to send via HTTP POST, and if possible then encrypt it before sending it and decrypt it on server on need basis
You could use the HTTP Basic authentication scheme, which uses the Authorization HTTP header. With Basic authentication, the client must provide its credentials on each request. so you might prefer the Digest authentication scheme, which is a little more secure.
Without more details, I might recommend OAuth 2.0 with the Client Credentials grant type. Basically, the client uses Basic authentication with its client credentials once to receive an access token, and then it uses the access token on subsequent resource requests. Typically the access token is submitted using the Authorization HTTP header.
OAuth is really an authorization framework, but it provides a good solution for API authentication also, and you might find its authorization tools useful for securing access to API resources. It could be that the Authorization Code grant type is applicable to your use case as well.
Related: Best Practices for securing a REST API / web service
I have a Flex frontend connecting via RemoteObject to Zend Framework's Zend Amf. This is my only means to transport data between client layer (Flex) and the application and persistence layers (LAMP with Zend Framework).
Some ways I can address security are as follows:
I can address TLS by using mx.messaging.channels.SecureAMFChannel in my services-config.xml file and ensuring Flash player is loaded into a HTTPS wrapper and is in fact using HTTPS since the AMF protocol is layered on top of HTTP
RemoteObject has a setCredentials method with which I can pass AMF authentication headers to protect user related data. Assuming TLS was actually secure I can expose methods on the endpoint after authenticating the User.
I can protect against cross-site scripting and other FLASH vulnerabilities with a properly set up crossdomain.xml
The question I have is how to I protect my endpoint against another AMF consumer? For instance, if there were another AMF consumer (not Flash so not bound by crossdomain.xml and Flash sandbox security) other than my Flex client that knew my endpoint, what would stop it from using methods that the endpoint exposes?
As far as I know I essentially need a way to authenticate my Flex application against my Zend Amf endpoint. After AMF consumer authentication, I have some of the security mechanisms I mentioned above to protect certain pieces of data (like User authentication). I can not embed some sort of authentication mechanism into my Flex swf because the swf is vulnerable to decompilation (the swf can not be trusted). While sensitive data is protected via User authentication the unprotected data is hardly public but as far as I can tell is totally open for public consumption.
You cannot prevent anyone from sending arbitrary HTTP requests to your endpoint. If your Flex application authenticates users against the server, and the server only serves sensitive data if the request has proper credentials / session IDs on it, everything is fine. What you can not do is authenticate the user and only store within the client that the user is authenticated. Since HTTP is a stateless protocol, the server must be able to authorize each request individually. It's the same thing with "regular" websites and AJAX.
AMF client can not know who called them unless some sort of authentication is provided. Any HTTP request that Flex sends could be emulated by non-Flex means, and as you correctly noted, any embedded key could be extracted. So there's no generic solution for this, though you could probably work something out if you gave your client certificates for HTTPS connection and made the server check the client certificates.