EWS Authentication security

Hi,

We have deployed our webservices on tomcat. Other applications are getting the security token using AuthenticateUser over HTTP which is not safe as the userid and pw are not encrypted. I am looking for some options to prevent the un-authorized webservice invocation. If somebody gets hold of the userid and password during the Authetication service call, he can use that to call any webservice.

Has anybody taken extra security steps like userid/pw encryption,HTTPS etc to prevent un-authorized access?

Thanks,

Kapil

Find more posts tagged with

Comments

Jason_Smith

Setting up tomcat to use SSL (https) is likely the easiest way to ensure traffic coming into Tomact is encrypted.

J

Bill_Miller

Also to make it even more secure, make sure that you also disable non-HTTP traffic ports within Tomcat. That way it won't be possible to connect to the Tomcat instance insecurely.

Kapil_Chaudhari

Thanks Jason,Bill. As Bill already mentioned, if I turn on SSL, i will have to disable the other connector.

what about the performance hit because of the SSL handshake?

Kapil

Bill_Miller

In typical hardware scenarios the SSL overhead is pretty low. It's only in cases where the server is being driven to higher utilization levels that the impact becomes noticable.

In those cases an intermediary server that does the SSL handshaking/encryption/decryption (Apache) can be useful, but then you end up with a portion of the network traffic that is insecure and has potential to be sniffed... and you're back where you started

The best option is to monitor server utilization and adjust when it becomes a problem (or test it with expected load levels and adjust if there is a problem).

Kapil_Chaudhari

Thanks Bill.