Originally posted by Hari Vignesh Padmanaban: Should security be taken into consideration in web services?
The simple answer would be no. Webservices data is exchanged mostly using http layer, if you think http transmission is not safer for you, then you have to consider using webservices security. [ February 25, 2004: Message edited by: Balaji Loganathan ]
Joined: Feb 23, 2004
Originally posted by Hari Vignesh Padmanaban: Should security be taken into consideration in web services? Does your book cover that ?
IMHO, end-to-end security should be considered in any applications, including web services. My book ch 7 discusses an end-to-end framework, some design strategies and some health-checklist for web services objects. Typically, HTTPS protects client-to-server connection. XML encryption and digital signature will ensure data confidentiality and integrity at the message level. There are a heap of security protection mechanisms need to be in place to protect from message replay, message insertion, denial of attack, etc, which are outside the scope of WS-Security. For example, Liberty is a good single sign-on and authentication mechanism. Here's the catch - many security book introduces the alphabets of WS-security, XML encryption, XKMS, etc. Readers need to put these technologies in the context of real life applications, and the different threats/risks exposed today. They really need a systematic methodology and scenarios. I'm working with 2 other security gurus on a second book on J2EE and web services security patterns. We've introduced a factor analysis, and a comprehensive health checklist. You can refer to www.coresecuritypatterns.com. The book should be available by fall 2004.
Free chapter summary/binaries of J2EE Platform Web Services can be found at <a href="http://authors.phptr.com/lai/." target="_blank" rel="nofollow">http://authors.phptr.com/lai/.</a><br />Get your copy from <a href="http://www.amazon.com." target="_blank" rel="nofollow">www.amazon.com.</a>