What is the best practice to secure a CA Gen EJB Web Service and Custom Web Service (moving from EJBs)

book

Article ID: 206099

calendar_today

Updated On:

Products

CA Gen CA Gen - Run Time Distributed

Issue/Introduction

Moving from EJBs to EJB Web Services where both Gen andvnon-Gen clients (via Java Proxy) are used.
The concern is that the EJB Web Service/Custom Web Service url is effectively public and anyone who knows it can use it.
What is the best practice to secure a CA Gen EJB Web Service and Custom Web Service?

Environment

Release : 8.6
Component : CA Gen Enterprise Java Beans

Resolution

Support discussed with Gen SME consultant for any field experiences about moving from EJB to EJB Web Services with regards to security i.e. any differences, using HTTPS/SSL and general best practices. The main points:
 - As EJB Web Services rely on Java EE annotations to connect to the servers, there is no Gen runtime intervention between web service and EJB (as opposed to a Gen Java Proxy-based solution).
- Using HTTPS is no problem, as the Gen code is behind the HTTP/S layer and communication between the web service and the EJB is done through RMI.
- Finally, the WSDL is a specification of the service provided. So, it’s good to have a copy of the contract when planning to invoke a web service. Of course, with Gen, the situation can be different, if plan to reuse servers. The best solution is probably to use a reverse-proxy, for instance with Apache httpd, which allows the filtering of the requests, or an API gateway.