• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

This weeks GiveAway

 
Sheriff
Posts: 3341
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This week we are giving away 4 copies of the book "Professional Web Services Security"
The best part, the Author Prasad DV, will be on line to answer your questions.
Thanks to the good people at Wrox for the books.
For information on Qualifiaction criteria, please read Book Giveaway page.
 
author and deputy
Posts: 3150
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome Prasad!..
Hope you will have a good time with us.!.
Regards
Balaji
 
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welome Prasad,
I used SSL and Web Services in a prototype. The reason that my boss did not like the combination was the drop in performance. Does your book recommend tool selection for optimized performance in Secured Web Services using mostly J2EE?
Thanks,
Ren
 
Author
Posts: 170
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there.
One concern that people have re: web services relates to security. Can you give me any insight into methods of making web services secure.
Cheers
Sam
 
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
Can you give me a general overview on what XACML is?
Thanx,
Daniel
 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, ren,
Do you use client certificate to authenticate your client? or userID/password
Regards
John
 
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Balaji Loganathan:
Welcome Prasad!..
Hope you will have a good time with us.!.
Regards
Balaji


Thanks a lot! I am sure to have a good time with you people at javaranch
Prasad DV
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Ren Li:
Welome Prasad,
I used SSL and Web Services in a prototype. The reason that my boss did not like the combination was the drop in performance. Does your book recommend tool selection for optimized performance in Secured Web Services using mostly J2EE?
Thanks,
Ren


Sure! THe reason why SSL slows thing down is the number of roundtrips between the server and the clients increase manifold. Please read Chapter 11 of the book - WS Security. WS Security enables message authentication, message integrity, message privacy and message non repudiation, with the least number of roundtripos, using SOAP headers and a set of XML specifications. Chapter 13 of the book contains a case study, which explains how to do all these using java (though I understand .NET more than I do java and one of my co authors has done the java case study). I hope that you will find the material useful to satisfy your boss!
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Sam Dalton:
Hi there.
One concern that people have re: web services relates to security. Can you give me any insight into methods of making web services secure.
Cheers
Sam


There are several paths in making a web service secure and the process of doing them so is still evolving. Primarily there are two methods though! The first option is to put the service behind SSL
and use the security cover provided by the Secure Socket Layer Protocol. The second approach is to use the SOAP headers to carry extra information and use this space to secure the SOAP messages secure using both public key and private key encryption and X509 certificates. FOr example, the SOAP header may carry the encrypted key, digital signature and authentication information besides the X509 Certificate of the sender while the message itself is encrypted using the key. WS Security specifications promoted by the bigwigs of the industry aims at laying down the norms of doing the latter process.
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Daniel Ng:
Hi,
Can you give me a general overview on what XACML is?
Thanx,
Daniel


XACML or eXtensible Access Control Markup Language is an XML based security standard directed by OASIS since 2001 for expressing rules and policies for controlling access to information. It provides a portable and unified way to describe the access control elements in XML. It provides a standard format to allow security control information to be exchanged between different systems. Thus it provides a standardized format to tie together and provide a consolidated and federated view of what were formerly islands of ACLs. It also allows IT resources to have the ability to create these policies for their area. THe XACML specs identify various XML elements that may be used to decribe the ACL like "Policy", "PolicySet", "Target", "Rule", "Obligations" and "Effect". Chapter 10 of the book deals in details abnout these elements together with samples.
I hope this reply helps. (though I did not author that particular chapter!)
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by john Lin:
Hi, ren,
Do you use client certificate to authenticate your client? or userID/password
Regards
John


Both can be used. WS Security Specs allow both a Client Certificate and any other form of authentication information. However, a client certificate is the preferred way of authenticating a message, as this also provides an element of message non-repudiation!
 
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Prasad
The article in the link below says
http://zdnet.com.com/2100-1107-980511.html
---------------------------------------
This may be a well kept secret now, but 2003 could be the year in which Linux becomes the operating system of choice for Web services.
---------------------------------------
Could you throw some more light on Web Services and Operating systems ?
Thanks
Swap
 
Sam Dalton
Author
Posts: 170
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Prasad DV:

There are several paths in making a web service secure and the process of doing them so is still evolving. Primarily there are two methods though! The first option is to put the service behind SSL
and use the security cover provided by the Secure Socket Layer Protocol. The second approach is to use the SOAP headers to carry extra information and use this space to secure the SOAP messages secure using both public key and private key encryption and X509 certificates. FOr example, the SOAP header may carry the encrypted key, digital signature and authentication information besides the X509 Certificate of the sender while the message itself is encrypted using the key. WS Security specifications promoted by the bigwigs of the industry aims at laying down the norms of doing the latter process.


thanks for the information
Cheers
sam
 
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Sir,
I hope you can help me with my questions. I'm interested in interoperability such as accessing a .NET Web service with a Java client and vice-versa. I'll create a new thread. Hope you can visit it and help me out. Thanks
Stanley
 
Stanley Tan
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Regarding security: if a Java Web service uses WS-Security security mechanisms, can a .NET or other platform client interoperate with the Web service?
I'm guessing it can, since that's one of the advantages of using XML Web services in the first place, right?
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by swap Inam:
Hi Prasad
The article in the link below says
http://zdnet.com.com/2100-1107-980511.html
---------------------------------------
This may be a well kept secret now, but 2003 could be the year in which Linux becomes the operating system of choice for Web services.
---------------------------------------
Could you throw some more light on Web Services and Operating systems ?
Thanks
Swap


As things stand now, web services are more a feature of web server software than a feature of an operating system. Because web services use the HTTP channel for transport (they can use other channels like SMTP also!) present web serive development revolves around internet servers like Apache, IIS etc. Languages like java, C#, VB provide the plkatform for the developers leverage the web servers for web services. However, one does not know what is in store for future. Microsoft is in the process of finalising a new OS called .Net Server, whcih is supposed to integrate web services into the OS functions themselves! thus we may end up operating systems boasting of web services as a feature for running the computer!!
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Stanley Tan:
Regarding security: if a Java Web service uses WS-Security security mechanisms, can a .NET or other platform client interoperate with the Web service?
I'm guessing it can, since that's one of the advantages of using XML Web services in the first place, right?


You are bang on target! The whole idea behind the WS Secrutiy specification is to provide a standard platform for inter-operability. Theoretically it should work. However, the WS Security implementations are still at the Development stage and it may take a while for a complete inter-operation.
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Stanley Tan:
Hi Sir,
I hope you can help me with my questions. I'm interested in interoperability such as accessing a .NET Web service with a Java client and vice-versa. I'll create a new thread. Hope you can visit it and help me out. Thanks
Stanley



This question has been discussed in this same forum under the title "SOAP & Microsoft" only a few days back. I have also posted to that topic. The URL is http://207.68.164.250/cgi-bin/linkrd?_lang=EN&lah=1b3bf57e84398f3c12442e53218a3b53&lat=1042654632&hm___action=http%3a%2f%2fsaloon%2ejavaranch%2ecom%2fcgi%2dbin%2fubb%2fultimatebb%2ecgi%3fubb%3dget_topic%26f%3d51%26t%3d000533
The URLs to a couple of good articles about SOAP interoperability are given in the posts under that topic. I suggest that you read the posts there.
 
Ranch Hand
Posts: 782
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Originally posted by Prasad DV:

As things stand now, web services are more a feature of web server software than a feature of an operating system. Because web services use the HTTP channel for transport (they can use other channels like SMTP also!) present web serive development revolves around internet servers like Apache, IIS etc. Languages like java, C#, VB provide the plkatform for the developers leverage the web servers for web services. However, one does not know what is in store for future. Microsoft is in the process of finalising a new OS called .Net Server, whcih is supposed to integrate web services into the OS functions themselves! thus we may end up operating systems boasting of web services as a feature for running the computer!!


U mean every thing will come with OS.We do not want to install Web Servers seperately?.
Bye,
Viki.
 
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Here is a question my boss is very worried about -calling a java program from the web - the java program access the database, he is concerned about corrupting our data via the internet, via the java. Do you have any insights?
 
Ranch Hand
Posts: 56
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
Is there any relation between SOAP encryption and web services security? Can you please give some insight.
Thanks in advance.
 
Stanley Tan
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Prasad DV:

You are bang on target! The whole idea behind the WS Secrutiy specification is to provide a standard platform for inter-operability. Theoretically it should work. However, the WS Security implementations are still at the Development stage and it may take a while for a complete inter-operation.


Thanks! I guess I'll just have to try it out and hope that it works
 
Stanley Tan
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Prasad DV:


This question has been discussed in this same forum under the title "SOAP & Microsoft" only a few days back. I have also posted to that topic. The URL is http://207.68.164.250/cgi-bin/linkrd?_lang=EN&lah=1b3bf57e84398f3c12442e53218a3b53&lat=1042654632&hm___action=http%3a%2f%2fsaloon%2ejavaranch%2ecom%2fcgi%2dbin%2fubb%2fultimatebb%2ecgi%3fubb%3dget_topic%26f%3d51%26t%3d000533
The URLs to a couple of good articles about SOAP interoperability are given in the posts under that topic. I suggest that you read the posts there.



I tried the link but it doesn't work. Appears to be a link read in Hotmail...
 
Stanley Tan
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Rajesh Pathak:
Hi,
Is there any relation between SOAP encryption and web services security? Can you please give some insight.
Thanks in advance.


Basically, SOAP messages are passed in clear-text. For obvious reasons, this is a bad thing (for sensitive data) as the message can easily be sniffed. By encrypting the SOAP message or simply the SOAP body, you almost guarantee that no one will be able to read the contents of the message if ever it is intercepted.
 
Rajesh Pathak
Ranch Hand
Posts: 56
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Often the following argument is given for using web service (1)Integration of application running over disperate language/platform (2)program to program interaction...etc
My question is, why should I develope/use web service when the above requirement can be achieved by other ways also(e.g. A properly coupled J2EE application can do this job well)?
Thanks in advance.
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Rajesh Pathak:
Hi,
Is there any relation between SOAP encryption and web services security? Can you please give some insight.
Thanks in advance.


Yes, There is! (I believe that by "SOAP Encryption" you mean "XML Encryption"!) There is alot of difference between encrypting a document and encrypting an XML Document. When you encrypt a non XML document, you would encrypt the entire contents of the document, including the header information like Author Name, Subject, Priority etc. However, when you encrypt an XML Document, the XML Tags are not encryupted but only the contents thereof. In XML Encryption, generally other additional information is added to the XML Document in the form of some Header information like the Encryption method, the type of the key used for encryption, its identification (or even the key itself - sometimes). Web services security is very much dependent on XML Encryption, because the SOAP Messages require only some select portions of it to be encrypted. Other portions like the Headers which contain the routing information of the message to enable intermediate nodes that process the message to sent it to proper destinations need to be sent unencrypted. Therefore, web services security depends on XML Encryption in a large way to enable secrecy of SOAP Messages. I hope this helps.
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Rajesh Pathak:
Often the following argument is given for using web service (1)Integration of application running over disperate language/platform (2)program to program interaction...etc
My question is, why should I develope/use web service when the above requirement can be achieved by other ways also(e.g. A properly coupled J2EE application can do this job well)?
Thanks in advance.


Good question! When you are developing an appication, where you have control over the various parts of the environment, various users and user groups and the operating systems they all use, I will suggest that the best way to go about is through J2EE or some other proprietory technoloigy. However, we live in a world of hetrogeniety! We need to write applications that follow certain standards and speak with other applicaitons living in other envioronments and other operating systems. We may never make Microsoft and Sun agree on a standard platform for speacking to each other's applications. AND we may not live forever to continue to keep the application running in J2EE. Therefore, when the world leaders have recognized thin and have come to the common ground of XML, should we not respond by writing our applications also speak the common language of XML? Please ponder!
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Prasad DV:


This question has been discussed in this same forum under the title "SOAP & Microsoft" only a few days back. I have also posted to that topic. The URL is http://207.68.164.250/cgi-bin/linkrd?_lang=EN&lah=1b3bf57e84398f3c12442e53218a3b53&lat=1042654632&hm___action=http%3a%2f%2fsaloon%2ejavaranch%2ecom%2fcgi%2dbin%2fubb%2fultimatebb%2ecgi%3fubb%3dget_topic%26f%3d51%26t%3d000533
The URLs to a couple of good articles about SOAP interoperability are given in the posts under that topic. I suggest that you read the posts there.



Sorry!

THe correct link should be: https://coderanch.com/t/219938/Web-Services/java/SOAP-Microsoft
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Vikrama Sanjeeva:
Hi,

U mean every thing will come with OS.We do not want to install Web Servers seperately?.
Bye,
Viki.


I meant the ability to access the web services, for which a web server is not needed! Initially, operating systems will come with this ability (they already have come like this - if you consider IE as part of Windows OS) Later - who knows? - the OS versions then may possess the ability to host web services in your own computer without you having to install a Web server separately - provided adequate security for doing this evolves!
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Amanda Weber:
Here is a question my boss is very worried about -calling a java program from the web - the java program access the database, he is concerned about corrupting our data via the internet, via the java. Do you have any insights?


This is where Web Services Security comes in a major way. When you expose your databases to the web - you may build a middle tier using web services instead of throwing them open directly.
When the present excercises of the web service community in evolving an adequate security mechanism for web services fructifies in a few months, you will be in a position to ascertain the authenticity of the persons accessing the databases and authoritatively ensure that the operations done by them are securely carried out through the web services. Moreover, these security features will allow you to make the database operations non-repudiable by the persons carrying them out by using digital signatures and Digital Certificates.
When all these are assured, how does it differ if the same persons operate upon the database from inside the office or from outside it at their convenience? Please ponder and explain this to your Boss!
 
Vikrama Sanjeeva
Ranch Hand
Posts: 782
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Originally posted by Prasad DV:
I meant the ability to access the web services, for which a web server is not needed! Initially, operating systems will come with this ability (they already have come like this - if you consider IE as part of Windows OS) Later - who knows? - the OS versions then may possess the ability to host web services in your own computer without you having to install a Web server separately - provided adequate security for doing this evolves!


By doing so i think OS will become fat.And cost of OS will eventually increased.
Bye,
Viki.
 
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your book looks interesting. I will get it (even if I have to buy it!)
 
Ranch Hand
Posts: 121
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Prasad,
Is this book suitable for beginner on Web Service Security?
Is there any examples with explanation?
steffy
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Steffy Sing:
Hi Prasad,
Is this book suitable for beginner on Web Service Security?
Is there any examples with explanation?
steffy


This book IS suitable for beginners on web services (as against beginners to programming!), as it starts from scratch and explains all concepts associated with web services as well as security and web services security. There are two great case studies - one in Java and the other in .NET Framework - where you will find hundreds of lines of copy - pastable code, whcih can be used in your applications with minimum modifications. (Make sure that you download the code from Wrox's site to do copy pasting!)
 
Prasad DV
Author
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Rick Portugal:
Your book looks interesting. I will get it (even if I have to buy it!)


Thanks a lot for the encouragement! All the best to you to win the prize give away, even if it means one book less for me and Wrox!!
 
Stanley Tan
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Prasad DV,
I hope you come back and visit the JavaRanch Web Services forum... well, at least once in a while
Have a question for you or anyone else that can answer...
What is the WS-I draft? As I understand it, it is for interoperability, but aren't Web services supposed to be interoperable since it follows well-defined standards such as WSDL, SOAP, etc.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic