Securing SOAP web services

[impiastro]

I'd like to secure konakart web services.

In this document: http://www.konakart.com/docs/soapAPIs.html#WS_Security there is a pointer to this KonaKart-WS-Security.txt inside the download kit under java_soap_examples but I cannot find it.

Any ideas about its position? Or any ideas about securing web services in konakart?

Thank you,

ROb

[greg]

Hi Rob,

That particular file, an example and a key-making utility are actually only provided in the Enterprise kit I'm afraid.


There's nothing to stop you securing the web services in the Community Edition however.  They're standard AXIS services and there's plenty of help on the web for securing these in various different ways.

For example, this is a good place to start:  http://ws.apache.org/axis/java/security.html

Note that they start off disabled by default in KonaKart but you probably already knew that....

-Greg

[impiastro]

Thank you Greg.

I know that they are disabled by default, I enabled them using the specific ant target.
I think that they are disabled by default but they are also unsecured because running the AxisExample and changing some lines of code I could verified, using the email, if a customer is present (method: doesCustomerExistForEmail), so I think that all web services calls are exposed to all users.

I'll see your link for further informations, bye.

ROb

[greg]

Hi Rob,

The more sensitive calls will require the session Id of an authenticated user.

You seem to be well on your way but as a reminder, when working with the SOAP versions of the APIs you can refer to the javadoc for detailed information on the calls... because the calls are identical to the plain old java ones.

Indeed, you can write your code against the engine interface then switch the engine from the java one (KKEng) to the SOAP one (KKWSEng) as late as at runtime.

-Greg

[impiastro]

OK, thank you for the remainder, I'll keep it in mind.

[impiastro]

I would like to let you know about my approach for securing the KK web services using the Tomcat Basic-Authentication.
I followed this article (http://www.ibm.com/developerworks/webservices/library/ws-sec1.html) changing some informations and modifying also the KKWSEngIfServiceLocator. Be careful about an error in Listing 3 in this article. I'm reporting the right xml code inside the following steps.
I secured only the konakart application, not the konakartadmin one.

These are the securing steps:

• 
  modify the tomcat-users.xml file inside your Tomcat configuration directory, this is mine:
  

Code Select Expand


<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="wsuser"/>
  <user username="wsuser" password="wspwd" roles="wsuser"/>
</tomcat-users>


• 
  securing the konakart web application modifying the web.xml file inside konakart/WEB-INF/ directory.
  Insert this code just before the closing tag </web-app>
  

Code Select Expand


        <security-constraint>
   <web-resource-collection>
      <web-resource-name>Protected</web-resource-name>
      <!-- specify the directory for restricted Web Services application -->
      <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
      <!-- specify the role name of the new user added in step 2 -->
      <role-name>wsuser</role-name>
   </auth-constraint>
</security-constraint>

<!-- Define the Login Configuration for this Application -->
<login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>Protected Web Services</realm-name>
</login-config>


• test the Basic Authentication to your konakart application, usually http://localhost:8780/konakart/



• modify the class KKWSEngIfServiceLocator generated by the Axis WSDL2Java ant target (of konakart custom directory):

Code Select Expand


public <pakage>.konakart.ws.KKWSEngIf getKKWebServiceEng(java.net.URL portAddress) throws javax.xml.rpc.ServiceException {
        try {
            <pakage>.konakart.ws.KKWebServiceEngSoapBindingStub _stub = new <pakage>.ws.KKWebServiceEngSoapBindingStub(portAddress, this);
            _stub.setPortName(getKKWebServiceEngWSDDServiceName());

            /* the web service is secured */
            _stub.setUsername("wsuser");
            _stub.setPassword("wspwd");

            return _stub;
        }
        catch (org.apache.axis.AxisFault e) {
            return null;
        }
    }


• 
  finally, test your code!
  

I hope this steps can be helpful to anyone like me need to secure the KK web services.

[heidi]

Thanks for sharing your experience impiastro