开发者

How to secure my webservices through JQuery/Javascript calls?

开发者 https://www.devze.com 2023-03-15 09:37 出处:网络
Suppose I have created a web service (DataOperation.asmx) within my web application. Now I am calling this webservice through my .aspx page using JQuery. like:

Suppose I have created a web service (DataOperation.asmx) within my web application. Now I am calling this webservice through my .aspx page using JQuery. like:

$.ajax({ 
type: "POST", 
url: "../../DataOperation.asmx/someMethod", 
cache: false, 
d开发者_如何学JAVAata: "param1=" + p1, 
async: false, 
success: function(msg) { 

} 
}); 

Now my question is, if anyone see this webservice name and webmethod name by investigating the html page source code, then he can use it from anywhere and can put some malicious entry by calling this web services. So how should I protect this web services from others and at the same time I should be able to use it with JQuery/Javascript calls.

Anyone knows the answer would be appreciated.

Regards, Haidar


The scenario is we have SOA Suite installed at our end and we have deployed a process which is accessible via

http://host:port/service/someService

Now our requirement is how to secure this link that is call the service using https so the new request should appear like

https://host:port/service/someService

Again i would like you all to go through this link to get some idea on key and certificate.

http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html

BAsed on this note i will generate a key

OPen a command window and navigate till jdk/bin directory and issue a command

keytool -genkey -alias arpit -server -dname "CN=Arpit, OU=Integration O=Oracle L=Bangalore, S=Karnataka, C=IN" -keyalg RSA -keypass welcome1 -storepass welcome1 -keystore arpit.keystore

It should be like

Once you will execute this command you will find a key with name arpit.keystore getting created in the same folder where you have executed it.

You can copy the arpit.keystore into the $ORACLE_HOME/j2ee/home/config

Nnow again

  1. Copy default-web-site.xml to secure-web-site.xml

  2. Edit the secure-web-site.xml: 2.1. Change the web-site tag by changing the port to 4443 and adding the element secure="true" 2.1. Add the ssl-config element and point this to the new created keystore. The file looks like:

... ...

  1. Import the new Web site in your OC4J instance by editing the $ORACLE_HOME/j2ee/home/server.xml file. You need to add or replace the web-site tag. In

... ...

Since we have copied the file from the default-web-site, all applications are available using HTTP and HTTPS

Now Start OC4J and test the HTTPS port.

It should work.This is for standalone container


I would secure it by making sure the request is from the same session that the page is served in. You can do this by issuing a signed cookie when you return the page that contains that javascript that is going to callback into your web service. When your page makes the ajax call, it will include this signed cookie, which you can validate within your web method before returning any results. To prevent cookie spoofing, store a unique tokenID in your session and make that tokenID part of your cookie. If the tokenID's do not match, don't process the web method (just return an error).

0

精彩评论

暂无评论...
验证码 换一张
取 消