SOAP WS Security Introduction

Bharath Thippireddy
A free video tutorial from Bharath Thippireddy
IT Architect and Best Selling Instructor- 450000+ students
4.5 instructor rating • 35 courses • 460,906 students

Learn more from the full course

Java Web Services Part 2 - SOAP and REST Security

Master advanced web services concepts and implement them in easy steps

04:22:27 of on-demand video • Updated October 2021

  • Develop a simple SOAP service and client
  • Learn what WS Security is
  • Master the four security concepts - Authentication Confidentiality Integrity and Non Repudiation
  • Implement SOAP Web Services security using Apache CXF and WSS4J
  • Implement Username Token Profile authentication on client and the provider
  • Understand Encryption and Decryption
  • Learn how to use the java keytool
  • Generate and use keys/certificates
  • Implement Encryption and Decryption
  • Sign the SOAP messages and ensure message integrity
  • Enable Timestamps to prevent replay attacks
  • And much more in the future on this agile style and incremental course
English When we talk about security in general or in web services there are four areas that needs to be addressed their authentication, confidentiality, integrity and non-repudiation let's take a look at each of these with a use case of online shopping. Let's say we are building a e-commerce application called emart where the customer touches something and he makes a payment and he makes a payment or e-mart will call into the bank's payment gateway web service and he does that the bank will ask emart to provide authentication information which is username and password usually otherwise any hacker a friendly neighborhood hacker can hack into the bank's payment gateway the process of exchanging username and password and making sure that it is really the e-mart application that is accessing the bank's payment gateway is called authentication and only then the bank will respond. In the WS security standard there are three ways to do authentication using username token profile x.509 certificates and saml. Saml is used for single sign-on. That is within our organization if we have multiple web service provider applications and we want our clients to log in to one of the application and he will be able to access any other web service application or provider without logging in again we can do that using saml. Second is very important aspect confidentiality, when we exchange soap messages it could be credit card information or social security number or any other sensitive information we do not want the hackers or the pirates of the web to access that data and make their own payments that is where confidentiality comes in. In ws-security we will make sure that even if the hacker finds out that message will not be able to make sense out of it by using WS Security's encryption and decryption that is on the client side when the message is sent we encrypt it on the server side will decrypt it and on the other way back will encrypt the response on the client-side will decrypt it it will work hands-on on all that later on. Third is integrity of the message this is where we ensure that the message that is sent by the client application is exactly the same message that is received by the server application and no other hacker who likes to add random stuff will add stuff to our message which can crash our server-side application when it is run he can add scripts that when run can crash our database or the application server we make sure we provide integrity using ws-security signatures that is when we send the message we'll calculate a hash value of the message using an algorithm and that hash will be a part of the message that goes to the server on the server side will recalculate the hash and we'll compare both the hashes that came from the client as well as the hash value that we calculate on the server and they should match if not that means somebody in between has changed the message more on signatures in lectures later on. Last but not the least non-repudiation which prevents replay attacks that is if a hacker captures our message in between which is properly authenticated encrypted as well as it has the signature he simply gets the message and he replace that message a million times in the next five minutes to crash our application ws-security provides timestamp to not do replay attacks or to stop replay attacks from happening if you are going to implement all these in the next few lectures username token profile to authenticate encryption and decryption using public keys and private keys integrity using signatures and finally you will use the timestamp to prevent replay attacks.