• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Security for web services

 
author
Posts: 1436
6
Python TypeScript Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does the "Hacking exposed" book discuss XML security for web services? Web services is becoming a major feature in most J2EE application servers ...
 
Author
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Michael Yuan:
Does the "Hacking exposed" book discuss XML security for web services? Web services is becoming a major feature in most J2EE application servers ...


Michael-
As a matter of fact, there's a whole chapter on Web Services security that deals with adding security to a sample application that uses JAX-RPC and the Sun WSDP.
I couldn't agree with you more that it's a growing field and that's why we decided to add a chapter and tons of code examples to the book!
Unfortunately standardization is somewhat lagging in the Web Services security arena, but in addition to showing sample code for what exists now, we have a short discussion of emerging specs like SAML and WS-Security.
Hope this helps!
 
Michael Yuan
author
Posts: 1436
6
Python TypeScript Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Brian Buege:

Unfortunately standardization is somewhat lagging in the Web Services security arena, but in addition to showing sample code for what exists now, we have a short discussion of emerging specs like SAML and WS-Security.
Hope this helps!


Hi Brian,
Thanks for the response! Can you tell us a bit more about what standards/examples you covered in your book? I think you probably have given examples on XML Encryption and XML Digital Signature. What tools do you use (JWSDP does not build-in tools ...)? Do you discuss the binding between secure XML protocols and SOAP?
Thanks a lot.
 
Brian Buege
Author
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Michael Yuan:

Hi Brian,
Thanks for the response! Can you tell us a bit more about what standards/examples you covered in your book? I think you probably have given examples on XML Encryption and XML Digital Signature. What tools do you use (JWSDP does not build-in tools ...)? Do you discuss the binding between secure XML protocols and SOAP?
Thanks a lot.


Michael-
Thanks for the response!
The book covers J2EE web services security (in one chapter) as used by the Java application developer. We don't specifically discuss security in low level protocols like CORBA CSI, so we don't talk about XML-level sigs and encryption either (deciding to leave it to the folks who have an entire book to devote to the topic of web services security). We cover it at a high level instead and provide references.
The reason we made this decision is that Sun's best practice is for the app developer to use JAX-RPC to access web service based (synchronous) functionality. Doing this, the developer uses the JAX-RPC API to generate the SOAP message instead of composing it themselves. We felt that showing sample code for using XML-based security specs would be just like showing how to hand-write native CORBA stubs to access an EJB (passing credentials, etc) instead of letting the app server stub generator take care of it for us... Same with web services: The app developer usually doesn't compose native SOAP messages (although some probably do, just like some people like to write their own or modify other generated RPC stub code (IIOP, JRMP, etc)).
We do discuss the issues you mention at a high level though, and we also talk about how to secure SOAP messages used in a asynchronous, workflow based environment... But again, we didn't have space for copious sample code there either.
However, it'd be cool for someone to write a book about these topics because they're definitely interesting and underrepresented in the literature (I'd buy it!). We just didn't have time to delve that deeply into something we felt a minority of our readers would be interested in (we could have been wrong here though)...
Also, I've got to partially disagree with you:
The WSDP does contain security related features. You can programmatically use HTTP BASIC authentication (from JAX-RPC) to authenticate the client, HTTPS to secure the transport. In your web service, you can use declarative authorization to provide security for your endpoint, and if you need to be more granular you can also use the getUserPrincipal method in the ServletEndpointContext to make programmatic authorization decisions. All of this is supported in the WSDP. What isn't supported is the lower (transport) level stuff (like XML sig), and the evolving stuff (like WS-Security and SAML).
Additionally, on the humorous side, you mention "standards" for XML digital signatures, etc... I wasn't aware that any of these had cleared draft status yet... (Just kidding - In the web services arena a draft seems to be as good as a standard anyway...)
Hope this helps!! You've brought up some really good points that I'm sure many people have an interest in!
 
Ranch Hand
Posts: 532
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Brian,
I really like some of the answers you have here. Can you tell me why the web services security seems to be lagging? I know there are politics but aren't there also some very difficult new scenarios that arise when you start talking about discovering and invoking services over the internet?
Thanks,
Jim

Originally posted by Brian Buege:

Michael-
As a matter of fact, there's a whole chapter on Web Services security that deals with adding security to a sample application that uses JAX-RPC and the Sun WSDP.
I couldn't agree with you more that it's a growing field and that's why we decided to add a chapter and tons of code examples to the book!
Unfortunately standardization is somewhat lagging in the Web Services security arena, but in addition to showing sample code for what exists now, we have a short discussion of emerging specs like SAML and WS-Security.
Hope this helps!


[ October 23, 2002: Message edited by: Jim Baiter ]
 
Michael Yuan
author
Posts: 1436
6
Python TypeScript Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Brian Buege:

However, it'd be cool for someone to write a book about these topics because they're definitely interesting and underrepresented in the literature (I'd buy it!). We just didn't have time to delve that deeply into something we felt a minority of our readers would be interested in (we could have been wrong here though)...


I certainly would like to see books in the area of XML/Web Services security.But as you said, this field is still fast evolving. There has not been many magazine article except high level stuff.


Additionally, on the humorous side, you mention "standards" for XML digital signatures, etc... I wasn't aware that any of these had cleared draft status yet... (Just kidding - In the web services arena a draft seems to be as good as a standard anyway...)


Well, I do not know what's happening with XML DS and ENC JSRs. They have been stalling for a year now. Does anyone know what's going on? How hard it can be?
On the other hand, JSRs are only "standard" Java APIs for those functionalities. The real underlying XML standard have long been established by W3C etc.
 
Leverager of our synergies
Posts: 10065
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Wrox is going to publish "Professional Web Services Security" in January 2003. You can see the contents here.
 
Ranch Hand
Posts: 86
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It is ok to have web services secure but what about the internet itself, some were it is not secure. How will be that slove.Is that Network Identity will slove this problem.
 
reply
    Bookmark Topic Watch Topic
  • New Topic