发表新帖
发表新帖

Security for Spring Restful Web Services

后端 未结
关注
2 681
暗喜
暗喜 2021-02-01 07:38

I am writing a Spring Restful Web Services Project. I need to write secure Web Services. For Security I am already using Spring Security+SSL, however now i need some securit

相关标签:
2条回答
  • 感情败类
    2021-02-01 07:51

    You basically have two patterns for REST security:

    1. Encrypt and sign requests/responses at the application level and run over HTTP. This involves a significant amount of work as you need to canonicalize all data before signing and ensure the client/server follows exactly the same process. This approach was adopted in early versions of the amazon web service protocols.

    2. Use SSL (possibly with client certificates). This is the preferred approach as there is no need to reinvent the wheel. SSL accelerators are available and performance will be significantly better than handling encryption and signing in your code.

    Amazon have now moved to using SSL and you should do the same. This article gives a good comparison of the two approaches.

    REST vs SOAP

    You referred to SOAP and WS-Security which defines a protocol for encryption and signing at message (rather than transport) level. The reason WS-Security defines such a protocol is to provide end-to-end confidentiality, integrity and authenticity over a brokered SOA architecture. For example you may send a SOAP message from Service A to Service B which goes via C D and E. SSL/TLS works at a transport level and would therefore only protect the message between A and B. However REST is not intended for a brokered architecture so this approach is not applicable in your case.

    0 讨论(0)
  • 感情败类
    2021-02-01 08:09

    There are multiple ways to secure your restful webservices, unfortunately there are many links which provides information to secure a soap web services, but as restful gaining popularity, it is of utmost necessity to find a way to secure and to find a way to manage sessions of your restful web service. So to secure my Spring MVC with restful support, You need to atleast consider for three Aspect

    1) Authentication. -- For Authentication Spring Security can be used.
    2) Authorization. -- For Authorizing a request OAuth can be used.
    3) Securing the communication. -- SSL can be used to secure the communication channel.
    4) Encryption -- Again Oauth can solve the purpose
    5) Message Signing. -- Again Oauth can solve the purpose

    So , to secure a restful webservice spring security + OAuth can be used. The other security mechanisms which can be used are Http Basic Security and Digest Security.

    Here is a very good example securing a spring restful webservice with spring security: http://java.dzone.com/articles/securing-restful-web-service

    Also to use spring security in conjunction with OAuth you can follow this tutorial:

    Spring security with OAuth

    0 讨论(0)
 看不清?
提交回复
热议问题