File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Security for web services Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Security for web services" Watch "Security for web services" New topic
Author

Security for web services

Michael Yuan
author
Ranch Hand

Joined: Mar 07, 2002
Posts: 1427
Does the "Hacking exposed" book discuss XML security for web services? Web services is becoming a major feature in most J2EE application servers ...


Seam Framework: http://www.amazon.com/exec/obidos/ASIN/0137129394/mobileenterpr-20/
Ringful: http://www.ringful.com/
Brian Buege
Author
Ranch Hand

Joined: Oct 16, 2002
Posts: 42
Originally posted by Michael Yuan:
Does the "Hacking exposed" book discuss XML security for web services? Web services is becoming a major feature in most J2EE application servers ...

Michael-
As a matter of fact, there's a whole chapter on Web Services security that deals with adding security to a sample application that uses JAX-RPC and the Sun WSDP.
I couldn't agree with you more that it's a growing field and that's why we decided to add a chapter and tons of code examples to the book!
Unfortunately standardization is somewhat lagging in the Web Services security arena, but in addition to showing sample code for what exists now, we have a short discussion of emerging specs like SAML and WS-Security.
Hope this helps!


Brian Buege<br />Author of <a href="http://www.amazon.com/exec/obidos/ASIN/0072225653/brivacom-20" target="_blank" rel="nofollow">Hacking Exposed J2EE & Java: Developing Secure Web Applications with Java Technology</a><br />Visit the <a href="http://www.hackingexposedjava.com" target="_blank" rel="nofollow">Companion Website</a>
Michael Yuan
author
Ranch Hand

Joined: Mar 07, 2002
Posts: 1427
Originally posted by Brian Buege:

Unfortunately standardization is somewhat lagging in the Web Services security arena, but in addition to showing sample code for what exists now, we have a short discussion of emerging specs like SAML and WS-Security.
Hope this helps!

Hi Brian,
Thanks for the response! Can you tell us a bit more about what standards/examples you covered in your book? I think you probably have given examples on XML Encryption and XML Digital Signature. What tools do you use (JWSDP does not build-in tools ...)? Do you discuss the binding between secure XML protocols and SOAP?
Thanks a lot.
Brian Buege
Author
Ranch Hand

Joined: Oct 16, 2002
Posts: 42
Originally posted by Michael Yuan:

Hi Brian,
Thanks for the response! Can you tell us a bit more about what standards/examples you covered in your book? I think you probably have given examples on XML Encryption and XML Digital Signature. What tools do you use (JWSDP does not build-in tools ...)? Do you discuss the binding between secure XML protocols and SOAP?
Thanks a lot.

Michael-
Thanks for the response!
The book covers J2EE web services security (in one chapter) as used by the Java application developer. We don't specifically discuss security in low level protocols like CORBA CSI, so we don't talk about XML-level sigs and encryption either (deciding to leave it to the folks who have an entire book to devote to the topic of web services security). We cover it at a high level instead and provide references.
The reason we made this decision is that Sun's best practice is for the app developer to use JAX-RPC to access web service based (synchronous) functionality. Doing this, the developer uses the JAX-RPC API to generate the SOAP message instead of composing it themselves. We felt that showing sample code for using XML-based security specs would be just like showing how to hand-write native CORBA stubs to access an EJB (passing credentials, etc) instead of letting the app server stub generator take care of it for us... Same with web services: The app developer usually doesn't compose native SOAP messages (although some probably do, just like some people like to write their own or modify other generated RPC stub code (IIOP, JRMP, etc)).
We do discuss the issues you mention at a high level though, and we also talk about how to secure SOAP messages used in a asynchronous, workflow based environment... But again, we didn't have space for copious sample code there either.
However, it'd be cool for someone to write a book about these topics because they're definitely interesting and underrepresented in the literature (I'd buy it!). We just didn't have time to delve that deeply into something we felt a minority of our readers would be interested in (we could have been wrong here though)...
Also, I've got to partially disagree with you:
The WSDP does contain security related features. You can programmatically use HTTP BASIC authentication (from JAX-RPC) to authenticate the client, HTTPS to secure the transport. In your web service, you can use declarative authorization to provide security for your endpoint, and if you need to be more granular you can also use the getUserPrincipal method in the ServletEndpointContext to make programmatic authorization decisions. All of this is supported in the WSDP. What isn't supported is the lower (transport) level stuff (like XML sig), and the evolving stuff (like WS-Security and SAML).
Additionally, on the humorous side, you mention "standards" for XML digital signatures, etc... I wasn't aware that any of these had cleared draft status yet... (Just kidding - In the web services arena a draft seems to be as good as a standard anyway...)
Hope this helps!! You've brought up some really good points that I'm sure many people have an interest in!
Jim Baiter
Ranch Hand

Joined: Jan 05, 2001
Posts: 532
Hi Brian,
I really like some of the answers you have here. Can you tell me why the web services security seems to be lagging? I know there are politics but aren't there also some very difficult new scenarios that arise when you start talking about discovering and invoking services over the internet?
Thanks,
Jim
Originally posted by Brian Buege:

Michael-
As a matter of fact, there's a whole chapter on Web Services security that deals with adding security to a sample application that uses JAX-RPC and the Sun WSDP.
I couldn't agree with you more that it's a growing field and that's why we decided to add a chapter and tons of code examples to the book!
Unfortunately standardization is somewhat lagging in the Web Services security arena, but in addition to showing sample code for what exists now, we have a short discussion of emerging specs like SAML and WS-Security.
Hope this helps!

[ October 23, 2002: Message edited by: Jim Baiter ]
Michael Yuan
author
Ranch Hand

Joined: Mar 07, 2002
Posts: 1427
Originally posted by Brian Buege:

However, it'd be cool for someone to write a book about these topics because they're definitely interesting and underrepresented in the literature (I'd buy it!). We just didn't have time to delve that deeply into something we felt a minority of our readers would be interested in (we could have been wrong here though)...


I certainly would like to see books in the area of XML/Web Services security.But as you said, this field is still fast evolving. There has not been many magazine article except high level stuff.

Additionally, on the humorous side, you mention "standards" for XML digital signatures, etc... I wasn't aware that any of these had cleared draft status yet... (Just kidding - In the web services arena a draft seems to be as good as a standard anyway...)

Well, I do not know what's happening with XML DS and ENC JSRs. They have been stalling for a year now. Does anyone know what's going on? How hard it can be?
On the other hand, JSRs are only "standard" Java APIs for those functionalities. The real underlying XML standard have long been established by W3C etc.
Mapraputa Is
Leverager of our synergies
Sheriff

Joined: Aug 26, 2000
Posts: 10065
Wrox is going to publish "Professional Web Services Security" in January 2003. You can see the contents here.


Uncontrolled vocabularies
"I try my best to make *all* my posts nice, even when I feel upset" -- Philippe Maquet
Sanjay Jadhav
Ranch Hand

Joined: Feb 21, 2002
Posts: 86
It is ok to have web services secure but what about the internet itself, some were it is not secure. How will be that slove.Is that Network Identity will slove this problem.


Sanjay Jadhav<br />Sun Certified Programmer For Java 2 Platform
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Security for web services