Two Laptop Bag
The moose likes Web Services and the fly likes Your views on Web Services Security Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of Arduino in Action this week in the General Computing forum!

A special promo: Enter your blog post or vote on a blogger to be featured in an upcoming Journal
JavaRanch » Java Forums » Java » Web Services
Reply Bookmark "Your views on Web Services Security" Watch "Your views on Web Services Security" New topic
Author

Your views on Web Services Security

Pankaj Kr
Author
Ranch Hand

Joined: Sep 09, 2003
Posts: 80
posted private message
0
Quote
This is question fot RMH.
I often hear people say that Security is a key obstacle in wide spread adoption of Web Services.
It was not until Netscape introduced SSL and HTTPS that commerce on the Web flourished. And despite the criticism of PKI and HTTPS, these technologies solve the problem of Web security in most people's mind.
SSL and other Transport oriented security mechanisms, such as HTTP-Basic and HTTP-Digest authentication, though applicable to Web Services (atleast those involving SOAP over HTTP and not using content-aware routers), are not seen as ultimate solution to the Web Services Security problem. In the beginning, there was some talk of using message level security such as S/MIME, but I don't hear much about that now.
A lot of people expect WS-Security, a specification originally authored by IBM, Microsoft and VeriSign, and now being standardized at OASIS, to solve the issue of Web Services Security once and for all.
That brings me to my questions:
1. Do you think that WS-Security is the right answer to Web Services Security problem? If yes, why? If no, why? What are different forces at work here?
2. What would be a good way to incorporate WS-Security in J2EE Web Services? Are the JAX-RPC handlers the right answer? or should this be pushed down to the J2EE container?
Best Regards,
Pankaj Kumar.

Pankaj Kumar,<br /><b><a href="http://www.pankaj-k.net" target="_blank" rel="nofollow">Home</a></b> <b><a href="http://www.pankaj-k.net/weblog" target="_blank" rel="nofollow">WebLog</a></b> <b><a href="http://www.j2ee-security.net" target="_blank" rel="nofollow">J2EE Security</a></b>
Richard Monson-Haefel
author
Ranch Hand

Joined: Oct 31, 2003
Posts: 92
posted private message
0
Quote
Hi Pankaj,
Thanks for the question. I won't pretend to be an security expert when it comes to Web services, but I belive that WS-Security, while complex, provides a decent foundation for Web services security.
In the short run I think people will use SSL with Basic AUTH if they need security for the wire. I think a bigger concern over the long run will be fraudulent use of Web services. I talk a little bit about this on an old <a href="http://www.oreillynet.com/pub/wlg/1515">blog</a>

-- <br />Richard Monson-Haefel<br /><a href="http://www.Monson-Haefel.com" target="_blank" rel="nofollow">http://www.Monson-Haefel.com</a>
Richard Monson-Haefel
author
Ranch Hand

Joined: Oct 31, 2003
Posts: 92
posted private message
0
Quote
When it comes to impl WS-Security on J2EE, I think the best choice will probably come down to a combination of JAX-RPC Handlers and Servelt Filters, assuming you are using JAX-RPC Service Endpoints rather than EJB Endponts - EJB doesn't have filters.
 
I agree. Here's the link: http://zeroturnaround.com/jrebel - it saves me about five hours per week
 
subject: Your views on Web Services Security
 
Similar Threads
Invoke secure web service by clicking on an HTML link
Implementing SSL, JAX-WS Webservice IBM websphere JAX-WS runtime
SSL and Web Service - Need a bit of help
How to access Secure web method
SOAP binding mismatch Glassfish 2.1/JAX-WS