Some 'more, in-depth' information on Oracle BPEL PM, ESB and other SOA, day2day things

Wednesday, May 19, 2004

Making your Webservice really secure? a little howto ..

When using Oracle-Soap-Webservices,
you will have in your web.xml the mapping from your Webservice against oracle.j2ee.ws.StatelessJavaRpcWebService (if you use Stateless webservices)
So beside the standard security, like basic auth, what can you do more, to make is invisble for attacks?

The java-driven approach is to start overwriting (=extending) some methods of the base Class.

So in our case, the easiest way is to extend the oracle.j2ee.ws.StatelessJavaRpcWebService and overwrite the following methods there:

In case you don't wnat to type the methods by hand - use JDev for generation the method-stubs. Just create the class and say extends oracle.j2ee.ws.StatelessJavaRpcWebService
Then:
-> Menu -> Tools -> Overwrite Methods -> Choose the methods -> Press OK

  /**
   * Overwrite this method - to disable the feature of retrieving the WSDL file
   * by using ?WSDL as param
   * @param pRequest the HTTP Request
   * @param pResponse the HTTP Response
   * @throws javax.servlet.ServletException
   * @throws java.io.IOException
   */
  protected void doGetWSDL(HttpServletRequest pRequest, HttpServletResponse pResponse)         throws ServletException, IOException { }

  /**
   * Overwrite this method - to disable the feature of retrieving the Testpage
   * (standard mapping if you just go to the webservice url in Explorer,
   * and try invoking a method, from a link)
   * @param pRequest the HTTP Request
   * @param pResponse the HTTP Response
   * @throws javax.servlet.ServletException
   * @throws java.io.IOException
   */
  protected void doGetTestPage(HttpServletRequest pRequest,
   HttpServletResponse pResponse, String pString) throws ServletException, IOException { }

  /**
   * Overwrite this method - to disable the feature of retrieving the Homepage
   * for the Webservice
   * @param pRequest the HTTP Request
   * @param pResponse the HTTP Response
   * @throws javax.servlet.ServletException
   * @throws java.io.IOException
   */
  protected void doGetHomePage(HttpServletRequest pRequest,
   HttpServletResponse pResponse) throws ServletException, IOException { }

  /**
   * Overwrite this method - to disable the feature of retrieving generated
   * source (by using param ?proxy_source)
   * for the ClientJar from WSDL
   * @param pRequest the HTTP Request
   * @param pResponse the HTTP Response
   * @throws javax.servlet.ServletException
   * @throws java.io.IOException
   */
  protected void doGetGeneratedSource(HttpServletRequest pRequest,
   HttpServletResponse pResponse) throws ServletException, IOException {}

  /**
   * Overwrite this method - to disable the feature of retrieving generated
   * source (by using param ?proxy_jar)
   * for the ClientJar (compiled) from WSDL
   * @param pRequest the HTTP Request
   * @param pResponse the HTTP Response
   * @throws javax.servlet.ServletException
   * @throws java.io.IOException
   */
  protected void doGetClientJar(HttpServletRequest pRequest,
   HttpServletResponse pResponse, boolean p2) throws ServletException, IOException {}

--
After done this, just replace the mapping against your newly created Servlet (that extends the Oracle one), redeploy - and voila, it's done!

Having questions? Feedback me on this entry Advanced Webservice-Security

0 Comments:

Post a Comment

<< Home