Axis web service security work round

This is a bit of an old one, but might be useful to Domino people (or in fact anyone) out there that still are not using security on their web services who really should know better, I’m mainly thinking of large corporations that treat their internal network as some kind of safe playground, I don’t suggest this a permanent fix, it is just a good solution if you simply don’t have the time or resources to put proper security in place.

This example came about when a security review was done on a application which was built a few years ago when web services were first all the rage and were built using something like AXIS 1.X, multiple applications including domino are consuming a set of services based on apache. we want to limit this so that random people/computers cant just read and post what they like, thank fully this is easy for apache

First find your http.conf file and find your web service location, most likely in a directory tag such as:

<Directory “D:/Apache2.2/htdocs”>

You will most likely find an couple of lines like this

Order allow,deny

Allow from all

Change them (add them if they are not there) to

Order Deny,Allow
Deny from all

This will lock down your web service completely which is not that much use, so now, add a line below such as

Allow from

Here you can list the servers you want to allow access to the web service, you can add all servers in a sub net (if your company uses a static IP address sub net) by only putting in the subnet eg, 192.168.1, as well as FQDN’s, full documentation can be found Here

In a perfect world that should be all you need, but if you applying this to an existing web service, someone is sure to need access from a computer or program (such as soapUI) not on a static server, so you will have to add a backdoor to let them in,

So next add the lines

SetEnvif User-Agent “backdoor” webservicebackdoor
Allow from env=webservicebackdoor

This means that if you set the “User-Agent Header” in programs like firefox and soapUI (its under file –> preferences) to “backdoor” the web services will start talking to you again ( yes I know it a security hole, but I’m trying to just make the best of a bad situation)

With some service clients this wont work as they dont allow the changing of the User-Agent, the most notable to me is Spring using CXF, as it uses an alternative web request header called “BrowserType” which set in the same way

SetEnvif BrowserType “backdoor” webservicebackdoor
Allow from env=webservicebackdoor

Also on your spring config in the conduit settings you include the “BrowserType” as shown

<http-conf:conduit name=”*”>
<http-conf:client ReceiveTimeout=”180000″ BrowserType=”backdoor” />

and now that would work just fine again

There you go, a little fringe but hopefull usefull to someone.

Leave a Reply

Your email address will not be published.