Securing a webservice with https in an OSGi bundle

Question

I want to secure the communication for a webservice component published with endpoint.publish() in an OSGi bundle. Therefor I'm struggling with three questions.

How can I use a certificate in a truststore to build a https publisher using just the IP? As this bundle is running on an embedded computer without a machines name known to the client consuming the service.
How do I load the *.jks keystore in my bundle? As there's another classpath I can't find the *.jks file using e.g. new File(./truststore.jks). Yes, I found similiar questions here, but they didn't work.
I wan't to implement some kind of authentication. For now I send a username and password in the header files (that's the reason I want to secure the communication at first). Is there a way not to check the username/password in the header in every webservice method call? As I have about 20 published methods and copying the same check-code is odd.

Runtime is Java 1.6, equinox 3.7.1. The client is another web application (using php).

In general, are there best practises for secure publishing webservices (in respect to OSGi bundles especially)?

Thanks in advance!

I've answered the questions, but please keep to one question per - eh - question next time. — Maarten Bodewes, Jan 20 '14 at 12:20

score 1 · Accepted Answer · edited May 23 '17 at 12:21

1

I'll answer in order:

It's probably not good form to use the IP address as common name (CN) in the certificate. You are better off assigning a name to that IP address locally (e.g. in the hosts file on most systems). Alternatively you may be able to skip name validation by configuring the client - in that case you accept any certificate issued by the CA however. This can still be an option if you have enough control over the PKI, for instance if you use self signed certificates.
KeyStores (and the truststore is a keystore) can be loaded using an InputStream, and input streams can be created for resources. See this question on stackoverflow for more information.
Try and bind the authentication to a session instead to a single page using the session context. Obviously this is less safe without SSL, but with SSL you should be OK.

edited May 23 '17 at 12:21

Community

1
1

answered Jan 20 '14 at 12:04

Maarten Bodewes

90,524
13
150
263

Thanks for your answers. But for 2. the issue is, that I can't load any file because I don't "find" them. Using OSGi the classpath is not the same as running as a "normal" application. – mpsat Jan 20 '14 at 17:28
But it is possible to use resources in OSGi isn't it? See for instance [this Q/A](http://stackoverflow.com/questions/6244993/no-access-to-bundle-resource-file-osgi). I'm pretty sure my Eclipse plugin has some resources... – Maarten Bodewes Jan 20 '14 at 17:59

Securing a webservice with https in an OSGi bundle

1 Answers1