Writing Secure Web Services
Scott
using Ruby and ActionWebService. We need to create a secure web
service for B2B integration (ick, sounds too Enterprise-y). The
request follows the following path:
Client Web Site -> Our Web Service (ActiveWebService) -> Our Database,
and back.
We'd like to eliminate the overhead of a challenge/response type of
system. We've come up with this:
The client GPG Signs a UUID+Time. This way an interception of the token
is worthless since it's only good for one request. Since the time
portion of tokens are sequential, we don't need to store a lot of them.
We can just provide a 1 minute window around our latest token.
So tokens are only good for one request. We have to store the latest
token. Since the tokens are signed, tokens can't be generated by a
third party without first compromising the client's private key.
Can anyone poke holes in this idea for us? Or do you have any better
ideas?
Thanks!
Scott
roland....@web.de
Another idea is using wss4r with ActiveWebService. You can then encrypt
and/or sign the requests/responses from both client and server. WSS4R
uses certificates for signing and encryption. Another advantage is that
it is conform to some web service specs, so you can use other clients
like java or .NET.
There is an example ActiveWebService/rails application that uses
encryption and signing and also clients in ruby and C#/.NET.
[1] http://www.rubyforge.org/projects/wss4r
Regards,
Roland
Roland Schmitt
Another idea is using wss4r with ActiveWebService. You can then encrypt
and/or sign the requests/responses from both client and server. WSS4R uses
certificates for signing and encryption. Another advantage is that it is
conform to some web service specs, so you can use other clients like java or
rcoder
> We'd like to eliminate the overhead of a challenge/response type of
system.
No offense, but "eliminating the overhead" by introducing a full
round-trip through GPG each time is kind of rediculous. Why not simply
generate SSL client certs and distribute them to your clients? It's no
less secure (or more work for you) than importing GPG/PGP keys, and
re-uses the existing HTTPS security model.
-Lennon
Scott
given examples. The server runs fine, but when I try to run the client
under the rails folder (examples/rails/simple/client/client.rb), I get
the following error:
c:/ruby/lib/ruby/1.8/i386-mswin32/digest.so: Class is not a module
(TypeError)
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from
c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.2.5/lib/active_suppo
rt/dependencies.rb:214:in `require'
from c:/ruby/lib/ruby/1.8/pstore.rb:11
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from
c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.2.5/lib/active_suppo
rt/dependencies.rb:214:in `require'
from c:/ruby/lib/ruby/1.8/cgi/session/pstore.rb:13
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from
c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.2.5/lib/active_suppo
rt/dependencies.rb:214:in `require'
... 17 levels...
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from c:/ruby/lib/ruby/site_ruby/1.8/wss4r/rpc/wssdriver.rb:4
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from client.rb:2
This is on a Windows XP machine with Ruby 1.8.4. Any ideas?
Scott
have been in in order before posting this question. I appreciate your
frank response though. It seems that just using SSL w/client
certificates would be the best solution.
Thanks,
Scott
roland....@web.de
sorry for the late reply.
I've tested with WinXP and Ruby 1.8.4 too, but i will look into this
problem. Perhaps the openssl-bindings are not working with your
installation?
Kind regards,
Roland