Suppose I have created a web service (DataOperation.asmx) within my web application. Now I am calling this webservice through my .aspx page using JQuery. like:
$.ajax({
type: "POST",
url: "../../DataOperation.asmx/someMethod",
cache: false,
d开发者_如何学JAVAata: "param1=" + p1,
async: false,
success: function(msg) {
}
});
Now my question is, if anyone see this webservice name and webmethod name by investigating the html page source code, then he can use it from anywhere and can put some malicious entry by calling this web services. So how should I protect this web services from others and at the same time I should be able to use it with JQuery/Javascript calls.
Anyone knows the answer would be appreciated.
Regards, Haidar
The scenario is we have SOA Suite installed at our end and we have deployed a process which is accessible via
http://host:port/service/someService
Now our requirement is how to secure this link that is call the service using https so the new request should appear like
https://host:port/service/someService
Again i would like you all to go through this link to get some idea on key and certificate.
http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html
BAsed on this note i will generate a key
OPen a command window and navigate till jdk/bin directory and issue a command
keytool -genkey -alias arpit -server -dname "CN=Arpit, OU=Integration O=Oracle L=Bangalore, S=Karnataka, C=IN" -keyalg RSA -keypass welcome1 -storepass welcome1 -keystore arpit.keystore
It should be like
Once you will execute this command you will find a key with name arpit.keystore getting created in the same folder where you have executed it.
You can copy the arpit.keystore into the $ORACLE_HOME/j2ee/home/config
Nnow again
Copy default-web-site.xml to secure-web-site.xml
Edit the secure-web-site.xml: 2.1. Change the web-site tag by changing the port to 4443 and adding the element secure="true" 2.1. Add the ssl-config element and point this to the new created keystore. The file looks like:
... ...
- Import the new Web site in your OC4J instance by editing the $ORACLE_HOME/j2ee/home/server.xml file. You need to add or replace the web-site tag. In
... ...
Since we have copied the file from the default-web-site, all applications are available using HTTP and HTTPS
Now Start OC4J and test the HTTPS port.
It should work.This is for standalone container
I would secure it by making sure the request is from the same session that the page is served in. You can do this by issuing a signed cookie when you return the page that contains that javascript that is going to callback into your web service. When your page makes the ajax call, it will include this signed cookie, which you can validate within your web method before returning any results. To prevent cookie spoofing, store a unique tokenID in your session and make that tokenID part of your cookie. If the tokenID's do not match, don't process the web method (just return an error).
精彩评论