• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

WS-Security verses SSL and mutual authentication

 
Ranch Hand
Posts: 300
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You are given a requirement that a web service has to be secure and confidential.
You have a choice WS-Security or SSL with mutual authentication. What do you pick and why?

Thanks.,
 
Rancher
Posts: 43081
77
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
WSS, for a couple of reasons:
  • Transport-level security (like HTTPS) ends the moment the message arrives at the web server, whereas message-level security (like WSS) is in effect until the moment a message has to be in cleartext. That means a SOAP message can be routed around a network securely until it reaches its final destination; that's generally not possible with HTTPS.
  • SOAP over HTTP has taken a dive in popularity in favor of REST (ignoring for a moment that the existence of WSS is one area where WS-* still shines in comparison). But SOAP can be used over other transports -messaging, SMTP, etc.- and WSS still works in those cases; SSL doesn't. Better to keep architectural options available, unless there's a compelling reason not to.
  •  
    Ranch Hand
    Posts: 329
    Eclipse IDE Oracle Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    If i design, shall go for both, WSS for message level to avaoid so called "Man In the Middle Attack" and 2 way SSL for business level trust. Since SSL also implies trust b/w partners (a handshake) and moreover it is no more difficult to implement it in terms of development perspective using any ws engine.
     
    Ulf Dittmer
    Rancher
    Posts: 43081
    77
    • Likes 1
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    If i design, shall go for both, WSS for message level to avaoid so called "Man In the Middle Attack" and 2 way SSL for business level trust.


    That doesn't buy you much (or anything) that WSS alone (encryption + signature) doesn't also provide.
     
    Luke Murphy
    Ranch Hand
    Posts: 300
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Ulf Dittmer wrote:

    If i design, shall go for both, WSS for message level to avaoid so called "Man In the Middle Attack" and 2 way SSL for business level trust.


    That doesn't buy you much (or anything) that WSS alone (encryption + signature) doesn't also provide.



    Brilliant answers!
     
    Shankar Tanikella
    Ranch Hand
    Posts: 329
    Eclipse IDE Oracle Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Good, agree with Ufl, one should also consider the business scenarios and architecture setup. For example, I have a web application which has several layers of security (Network level, the system architecture). All requests to web application requires a hand shake and it is not a good idea for bypassing the SSL by any means just for exposed services, or is it? One should also consider that the importance of person - machine(server) and organization - machine communication, shouldn’t we .

    I am really confused now... need to do lot of homework
    Anyways, these are just my thoughts
     
    Ulf Dittmer
    Rancher
    Posts: 43081
    77
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Shankar Tanikella wrote:All requests to web application requires a hand shake and it is not a good idea for bypassing the SSL by any means just for exposed services, or is it?


    What is appropriate for a web app -which is accessed by humans, manually, using a browser- is not necessarily the same as what is appropriate for web services (which generally get accessed by machines programmatically). If the web service uses proper security mechanisms, I don't see that you'd be "bypassing" anything.

    One should also consider that the importance of person - machine(server) and organization - machine communication, shouldn’t we


    Not sure what you mean by "importance" in this context. You should evaluate what attack scenarios are likely, how bad their effect might be, determine the policies to guard against that, and then put in place mechanisms that implement these policies. Since you mention that you're prepared to learn, you might start with this book.
     
    Shankar Tanikella
    Ranch Hand
    Posts: 329
    Eclipse IDE Oracle Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Thanks for your inputs, i completely agree and clear with the approach of identifying the threats and then evaluating the anti-threat mechanisms.
    nevertheless, what i meant previously (my perspective) was about the public (one can say everything is public in terms of web services , its open to everyone) services and private ones.
    For example, services between two banks and service between person and a bank and may be even consider services between different branches of the same bank.
    Should i break the current level of security for just web services? or shouldn't I... and more questions i ask myself now . Security is always a hot topic anywhere. Anyways, I shall think over and correct myself and fill few blanks.

    However, is there any good book for which you are familiar with regarding designing, tips, tricks, pit falls, how to go abouts related to web services.
    And again thanks for help.

     
    Ranch Hand
    Posts: 558
    2
    Hibernate Spring Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    If we go with SSL and if the WS setup has several intermediaries, with SSL, none of those intermediaries would be able to access the SOAP request/response as everything is encrypted at transport level. May be in that case, implementing WS-Security using XML Encryption and XML Signature should be sufficent and appropriate. But we do not have intermediaries, then adding SSL would be an additional level of sercurity at transport level in addition to message level. Would any one contradict this ?
     
    Ulf Dittmer
    Rancher
    Posts: 43081
    77
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Should i break the current level of security for just web services?


    No, you should not. But you should use security mechanisms that are appropriate, and SSL is not the best way to secure web services. There are better approaches that are just as secure, and provide other benefits to boot - see my first post in this thread.
     
    Ulf Dittmer
    Rancher
    Posts: 43081
    77
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Kumar Raja wrote:But we do not have intermediaries, then adding SSL would be an additional level of sercurity at transport level in addition to message level. Would any one contradict this ?


    Only in the sense that encrypting data repeatedly provides more security than encrypting it once. That means you're not trusting the encryption in the first place, which can mean one of two things: you don't trust the algorithm and think it's breakable, or you don't trust one of the two parties to keep their keys or certificates secure. Either scenario means you don't have a working, secure system, and adding more layers of encryption doesn't change that. So, yes - I am contradicting that.
     
    With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    reply
      Bookmark Topic Watch Topic
    • New Topic