This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Web Services and the fly likes This weeks GiveAway Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "This weeks GiveAway" Watch "This weeks GiveAway" New topic
Author

This weeks GiveAway

Carl Trusiak
Sheriff

Joined: Jun 13, 2000
Posts: 3340
This week we are giving away 4 copies of the book "Professional Web Services Security"
The best part, the Author Prasad DV, will be on line to answer your questions.
Thanks to the good people at Wrox for the books.
For information on Qualifiaction criteria, please read Book Giveaway page.
Balaji Loganathan
author and deputy
Bartender

Joined: Jul 13, 2001
Posts: 3150
Welcome Prasad!..
Hope you will have a good time with us.!.
Regards
Balaji


Spritle Software Blogs
Ren Li
Ranch Hand

Joined: Feb 20, 2002
Posts: 64
Welome Prasad,
I used SSL and Web Services in a prototype. The reason that my boss did not like the combination was the drop in performance. Does your book recommend tool selection for optimized performance in Secured Web Services using mostly J2EE?
Thanks,
Ren
Sam Dalton
Author
Ranch Hand

Joined: Jul 26, 2001
Posts: 170
Hi there.
One concern that people have re: web services relates to security. Can you give me any insight into methods of making web services secure.
Cheers
Sam


<a href="http://www.samjdalton.com" target="_blank" rel="nofollow">Sam Dalton</a>,<br />Co-author of [http://www.amazon.com/exec/obidos/tg/detail/-/1590592255/qid=1068633302//ref=sr_8_xs_ap_i0_xgl14/104-4904002-9274339?v=glance&s=books&n=507846]Professional JSP 2.0[/URL] (October 2003)<br />Co-author of <a href="http://www.amazon.com/exec/obidos/ASIN/1861007701/ref=ase_electricporkchop" target="_blank" rel="nofollow">Professional SCWCD Certification</a><br />Co-author of <a href="http://www.amazon.com/exec/obidos/ASIN/186100561X/ref=ase_electricporkchop" target="_blank" rel="nofollow">Professional Java Servlets 2.3</a>
Daniel Ng
Greenhorn

Joined: Jul 09, 2002
Posts: 27
Hi,
Can you give me a general overview on what XACML is?
Thanx,
Daniel
john Lin
Greenhorn

Joined: Dec 03, 2002
Posts: 8
Hi, ren,
Do you use client certificate to authenticate your client? or userID/password
Regards
John
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Balaji Loganathan:
Welcome Prasad!..
Hope you will have a good time with us.!.
Regards
Balaji

Thanks a lot! I am sure to have a good time with you people at javaranch
Prasad DV


Prasad DV<br />Co-author of Wrox Press's "<a href="http://www.amazon.com/exec/obidos/ASIN/1861007655/ref=jranch-20" target="_blank" rel="nofollow">Professional WebServices Security</a>"
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Ren Li:
Welome Prasad,
I used SSL and Web Services in a prototype. The reason that my boss did not like the combination was the drop in performance. Does your book recommend tool selection for optimized performance in Secured Web Services using mostly J2EE?
Thanks,
Ren

Sure! THe reason why SSL slows thing down is the number of roundtrips between the server and the clients increase manifold. Please read Chapter 11 of the book - WS Security. WS Security enables message authentication, message integrity, message privacy and message non repudiation, with the least number of roundtripos, using SOAP headers and a set of XML specifications. Chapter 13 of the book contains a case study, which explains how to do all these using java (though I understand .NET more than I do java and one of my co authors has done the java case study). I hope that you will find the material useful to satisfy your boss!
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Sam Dalton:
Hi there.
One concern that people have re: web services relates to security. Can you give me any insight into methods of making web services secure.
Cheers
Sam

There are several paths in making a web service secure and the process of doing them so is still evolving. Primarily there are two methods though! The first option is to put the service behind SSL
and use the security cover provided by the Secure Socket Layer Protocol. The second approach is to use the SOAP headers to carry extra information and use this space to secure the SOAP messages secure using both public key and private key encryption and X509 certificates. FOr example, the SOAP header may carry the encrypted key, digital signature and authentication information besides the X509 Certificate of the sender while the message itself is encrypted using the key. WS Security specifications promoted by the bigwigs of the industry aims at laying down the norms of doing the latter process.
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Daniel Ng:
Hi,
Can you give me a general overview on what XACML is?
Thanx,
Daniel

XACML or eXtensible Access Control Markup Language is an XML based security standard directed by OASIS since 2001 for expressing rules and policies for controlling access to information. It provides a portable and unified way to describe the access control elements in XML. It provides a standard format to allow security control information to be exchanged between different systems. Thus it provides a standardized format to tie together and provide a consolidated and federated view of what were formerly islands of ACLs. It also allows IT resources to have the ability to create these policies for their area. THe XACML specs identify various XML elements that may be used to decribe the ACL like "Policy", "PolicySet", "Target", "Rule", "Obligations" and "Effect". Chapter 10 of the book deals in details abnout these elements together with samples.
I hope this reply helps. (though I did not author that particular chapter!)
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by john Lin:
Hi, ren,
Do you use client certificate to authenticate your client? or userID/password
Regards
John

Both can be used. WS Security Specs allow both a Client Certificate and any other form of authentication information. However, a client certificate is the preferred way of authenticating a message, as this also provides an element of message non-repudiation!
swap Inam
Ranch Hand

Joined: Sep 28, 2002
Posts: 37
Hi Prasad
The article in the link below says
http://zdnet.com.com/2100-1107-980511.html
---------------------------------------
This may be a well kept secret now, but 2003 could be the year in which Linux becomes the operating system of choice for Web services.
---------------------------------------
Could you throw some more light on Web Services and Operating systems ?
Thanks
Swap
Sam Dalton
Author
Ranch Hand

Joined: Jul 26, 2001
Posts: 170
Originally posted by Prasad DV:

There are several paths in making a web service secure and the process of doing them so is still evolving. Primarily there are two methods though! The first option is to put the service behind SSL
and use the security cover provided by the Secure Socket Layer Protocol. The second approach is to use the SOAP headers to carry extra information and use this space to secure the SOAP messages secure using both public key and private key encryption and X509 certificates. FOr example, the SOAP header may carry the encrypted key, digital signature and authentication information besides the X509 Certificate of the sender while the message itself is encrypted using the key. WS Security specifications promoted by the bigwigs of the industry aims at laying down the norms of doing the latter process.

thanks for the information
Cheers
sam
Stanley Tan
Ranch Hand

Joined: May 17, 2001
Posts: 243
Hi Sir,
I hope you can help me with my questions. I'm interested in interoperability such as accessing a .NET Web service with a Java client and vice-versa. I'll create a new thread. Hope you can visit it and help me out. Thanks
Stanley
Stanley Tan
Ranch Hand

Joined: May 17, 2001
Posts: 243
Regarding security: if a Java Web service uses WS-Security security mechanisms, can a .NET or other platform client interoperate with the Web service?
I'm guessing it can, since that's one of the advantages of using XML Web services in the first place, right?
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by swap Inam:
Hi Prasad
The article in the link below says
http://zdnet.com.com/2100-1107-980511.html
---------------------------------------
This may be a well kept secret now, but 2003 could be the year in which Linux becomes the operating system of choice for Web services.
---------------------------------------
Could you throw some more light on Web Services and Operating systems ?
Thanks
Swap

As things stand now, web services are more a feature of web server software than a feature of an operating system. Because web services use the HTTP channel for transport (they can use other channels like SMTP also!) present web serive development revolves around internet servers like Apache, IIS etc. Languages like java, C#, VB provide the plkatform for the developers leverage the web servers for web services. However, one does not know what is in store for future. Microsoft is in the process of finalising a new OS called .Net Server, whcih is supposed to integrate web services into the OS functions themselves! thus we may end up operating systems boasting of web services as a feature for running the computer!!
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Stanley Tan:
Regarding security: if a Java Web service uses WS-Security security mechanisms, can a .NET or other platform client interoperate with the Web service?
I'm guessing it can, since that's one of the advantages of using XML Web services in the first place, right?

You are bang on target! The whole idea behind the WS Secrutiy specification is to provide a standard platform for inter-operability. Theoretically it should work. However, the WS Security implementations are still at the Development stage and it may take a while for a complete inter-operation.
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Stanley Tan:
Hi Sir,
I hope you can help me with my questions. I'm interested in interoperability such as accessing a .NET Web service with a Java client and vice-versa. I'll create a new thread. Hope you can visit it and help me out. Thanks
Stanley


This question has been discussed in this same forum under the title "SOAP & Microsoft" only a few days back. I have also posted to that topic. The URL is http://207.68.164.250/cgi-bin/linkrd?_lang=EN&lah=1b3bf57e84398f3c12442e53218a3b53&lat=1042654632&hm___action=http%3a%2f%2fsaloon%2ejavaranch%2ecom%2fcgi%2dbin%2fubb%2fultimatebb%2ecgi%3fubb%3dget_topic%26f%3d51%26t%3d000533
The URLs to a couple of good articles about SOAP interoperability are given in the posts under that topic. I suggest that you read the posts there.
Vikrama Sanjeeva
Ranch Hand

Joined: Sep 02, 2001
Posts: 756
Hi,
Originally posted by Prasad DV:

As things stand now, web services are more a feature of web server software than a feature of an operating system. Because web services use the HTTP channel for transport (they can use other channels like SMTP also!) present web serive development revolves around internet servers like Apache, IIS etc. Languages like java, C#, VB provide the plkatform for the developers leverage the web servers for web services. However, one does not know what is in store for future. Microsoft is in the process of finalising a new OS called .Net Server, whcih is supposed to integrate web services into the OS functions themselves! thus we may end up operating systems boasting of web services as a feature for running the computer!!

U mean every thing will come with OS.We do not want to install Web Servers seperately?.
Bye,
Viki.


Count the flowers of your garden, NOT the leafs which falls away!
Prepare IBM Exam 340 by joining http://groups.yahoo.com/group/IBM340Exam/
Amanda Weber
Greenhorn

Joined: Nov 20, 2002
Posts: 28
Here is a question my boss is very worried about -calling a java program from the web - the java program access the database, he is concerned about corrupting our data via the internet, via the java. Do you have any insights?
Rajesh Pathak
Ranch Hand

Joined: Aug 15, 2002
Posts: 56
Hi,
Is there any relation between SOAP encryption and web services security? Can you please give some insight.
Thanks in advance.


Rajesh(Bangalore,India)<br />SCJP2, SCWCD, SCEA, IBM-XML, UML-OOAD, IBM-Enterprise Connectivity with J2EE.
Stanley Tan
Ranch Hand

Joined: May 17, 2001
Posts: 243
Originally posted by Prasad DV:

You are bang on target! The whole idea behind the WS Secrutiy specification is to provide a standard platform for inter-operability. Theoretically it should work. However, the WS Security implementations are still at the Development stage and it may take a while for a complete inter-operation.

Thanks! I guess I'll just have to try it out and hope that it works
Stanley Tan
Ranch Hand

Joined: May 17, 2001
Posts: 243
Originally posted by Prasad DV:


This question has been discussed in this same forum under the title "SOAP & Microsoft" only a few days back. I have also posted to that topic. The URL is http://207.68.164.250/cgi-bin/linkrd?_lang=EN&lah=1b3bf57e84398f3c12442e53218a3b53&lat=1042654632&hm___action=http%3a%2f%2fsaloon%2ejavaranch%2ecom%2fcgi%2dbin%2fubb%2fultimatebb%2ecgi%3fubb%3dget_topic%26f%3d51%26t%3d000533
The URLs to a couple of good articles about SOAP interoperability are given in the posts under that topic. I suggest that you read the posts there.


I tried the link but it doesn't work. Appears to be a link read in Hotmail...
Stanley Tan
Ranch Hand

Joined: May 17, 2001
Posts: 243
Originally posted by Rajesh Pathak:
Hi,
Is there any relation between SOAP encryption and web services security? Can you please give some insight.
Thanks in advance.

Basically, SOAP messages are passed in clear-text. For obvious reasons, this is a bad thing (for sensitive data) as the message can easily be sniffed. By encrypting the SOAP message or simply the SOAP body, you almost guarantee that no one will be able to read the contents of the message if ever it is intercepted.
Rajesh Pathak
Ranch Hand

Joined: Aug 15, 2002
Posts: 56
Often the following argument is given for using web service (1)Integration of application running over disperate language/platform (2)program to program interaction...etc
My question is, why should I develope/use web service when the above requirement can be achieved by other ways also(e.g. A properly coupled J2EE application can do this job well)?
Thanks in advance.
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Rajesh Pathak:
Hi,
Is there any relation between SOAP encryption and web services security? Can you please give some insight.
Thanks in advance.

Yes, There is! (I believe that by "SOAP Encryption" you mean "XML Encryption"!) There is alot of difference between encrypting a document and encrypting an XML Document. When you encrypt a non XML document, you would encrypt the entire contents of the document, including the header information like Author Name, Subject, Priority etc. However, when you encrypt an XML Document, the XML Tags are not encryupted but only the contents thereof. In XML Encryption, generally other additional information is added to the XML Document in the form of some Header information like the Encryption method, the type of the key used for encryption, its identification (or even the key itself - sometimes). Web services security is very much dependent on XML Encryption, because the SOAP Messages require only some select portions of it to be encrypted. Other portions like the Headers which contain the routing information of the message to enable intermediate nodes that process the message to sent it to proper destinations need to be sent unencrypted. Therefore, web services security depends on XML Encryption in a large way to enable secrecy of SOAP Messages. I hope this helps.
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Rajesh Pathak:
Often the following argument is given for using web service (1)Integration of application running over disperate language/platform (2)program to program interaction...etc
My question is, why should I develope/use web service when the above requirement can be achieved by other ways also(e.g. A properly coupled J2EE application can do this job well)?
Thanks in advance.

Good question! When you are developing an appication, where you have control over the various parts of the environment, various users and user groups and the operating systems they all use, I will suggest that the best way to go about is through J2EE or some other proprietory technoloigy. However, we live in a world of hetrogeniety! We need to write applications that follow certain standards and speak with other applicaitons living in other envioronments and other operating systems. We may never make Microsoft and Sun agree on a standard platform for speacking to each other's applications. AND we may not live forever to continue to keep the application running in J2EE. Therefore, when the world leaders have recognized thin and have come to the common ground of XML, should we not respond by writing our applications also speak the common language of XML? Please ponder!
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Prasad DV:


This question has been discussed in this same forum under the title "SOAP & Microsoft" only a few days back. I have also posted to that topic. The URL is http://207.68.164.250/cgi-bin/linkrd?_lang=EN&lah=1b3bf57e84398f3c12442e53218a3b53&lat=1042654632&hm___action=http%3a%2f%2fsaloon%2ejavaranch%2ecom%2fcgi%2dbin%2fubb%2fultimatebb%2ecgi%3fubb%3dget_topic%26f%3d51%26t%3d000533
The URLs to a couple of good articles about SOAP interoperability are given in the posts under that topic. I suggest that you read the posts there.


Sorry!

THe correct link should be: http://www.coderanch.com/t/219938/Web-Services/java/SOAP-Microsoft
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Vikrama Sanjeeva:
Hi,

U mean every thing will come with OS.We do not want to install Web Servers seperately?.
Bye,
Viki.

I meant the ability to access the web services, for which a web server is not needed! Initially, operating systems will come with this ability (they already have come like this - if you consider IE as part of Windows OS) Later - who knows? - the OS versions then may possess the ability to host web services in your own computer without you having to install a Web server separately - provided adequate security for doing this evolves!
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Amanda Weber:
Here is a question my boss is very worried about -calling a java program from the web - the java program access the database, he is concerned about corrupting our data via the internet, via the java. Do you have any insights?

This is where Web Services Security comes in a major way. When you expose your databases to the web - you may build a middle tier using web services instead of throwing them open directly.
When the present excercises of the web service community in evolving an adequate security mechanism for web services fructifies in a few months, you will be in a position to ascertain the authenticity of the persons accessing the databases and authoritatively ensure that the operations done by them are securely carried out through the web services. Moreover, these security features will allow you to make the database operations non-repudiable by the persons carrying them out by using digital signatures and Digital Certificates.
When all these are assured, how does it differ if the same persons operate upon the database from inside the office or from outside it at their convenience? Please ponder and explain this to your Boss!
Vikrama Sanjeeva
Ranch Hand

Joined: Sep 02, 2001
Posts: 756
Hi,
Originally posted by Prasad DV:
I meant the ability to access the web services, for which a web server is not needed! Initially, operating systems will come with this ability (they already have come like this - if you consider IE as part of Windows OS) Later - who knows? - the OS versions then may possess the ability to host web services in your own computer without you having to install a Web server separately - provided adequate security for doing this evolves!

By doing so i think OS will become fat.And cost of OS will eventually increased.
Bye,
Viki.
Rick Portugal
Ranch Hand

Joined: Dec 17, 2002
Posts: 243
Your book looks interesting. I will get it (even if I have to buy it!)


IBM 286, SCJP, SCWCD, EIEIO
sing
Ranch Hand

Joined: Nov 29, 2001
Posts: 121
Hi Prasad,
Is this book suitable for beginner on Web Service Security?
Is there any examples with explanation?
steffy
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Steffy Sing:
Hi Prasad,
Is this book suitable for beginner on Web Service Security?
Is there any examples with explanation?
steffy

This book IS suitable for beginners on web services (as against beginners to programming!), as it starts from scratch and explains all concepts associated with web services as well as security and web services security. There are two great case studies - one in Java and the other in .NET Framework - where you will find hundreds of lines of copy - pastable code, whcih can be used in your applications with minimum modifications. (Make sure that you download the code from Wrox's site to do copy pasting!)
Prasad DV
Author
Greenhorn

Joined: Jan 13, 2003
Posts: 23
Originally posted by Rick Portugal:
Your book looks interesting. I will get it (even if I have to buy it!)

Thanks a lot for the encouragement! All the best to you to win the prize give away, even if it means one book less for me and Wrox!!
Stanley Tan
Ranch Hand

Joined: May 17, 2001
Posts: 243
Prasad DV,
I hope you come back and visit the JavaRanch Web Services forum... well, at least once in a while
Have a question for you or anyone else that can answer...
What is the WS-I draft? As I understand it, it is for interoperability, but aren't Web services supposed to be interoperable since it follows well-defined standards such as WSDL, SOAP, etc.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: This weeks GiveAway
 
Similar Threads
This weeks giveaway
This weeks giveaway
This weeks Giveaway
This weeks Giveaway
This weeks giveaway