File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Web Services and the fly likes Securing Web Services Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "Securing Web Services" Watch "Securing Web Services" New topic

Securing Web Services

Russell Ray
Ranch Hand

Joined: Apr 25, 2005
Posts: 116
I am hoping others in this forum will share their experiences involving securing web services. What I would like to know is your thoughts on industry best practices for securing web services.

I have been asked to look at the different industry approaches. From what I have read SUN, the simplest approach may be using WS-Security standard. This uses XML Signatures and XML encryption and can be placed in the header portion of the SOAP message. On the other hand, the most complicated is using an LDAP server for single sign.

What is our driving forces is the least amount of effort is the best solution as long as security is not compromised.

Thank you in advance for your comments.

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
Security for web services, as elsewhere, is a multi-faceted subject - a process, not a product or technology. A good introduction is this article, which is part of the Axis documentation, but applies in general.
I'm not under the impression that best practices have already been shaped. While using servlet security (authentication, SSL) for WS has been around for a while, WS-Security is newer and not as widely used yet. What "the least amount of effort while not compromising security" is, depends on what tradeoffs you're willing to make. For a WS used in an intranet servlet security might be enough (assuming your WS engine is based on servlet technology). It might even be enough for a low-value public service. WS-Security adds an overhead, though not a big one, and it's not hard to set up and use. Of course, there are no standard Java APIs for WS-Security yet, so any package you use works differently.
Since you specifically mention LDAP, I'd say that's orthogonal to the kind of security solution you have. It can be used with servlet security, WS-Security, or a roll-your-own solution, just like you may want to use JAAS in conjunction with any of these.
dema rogatkin
Ranch Hand

Joined: Oct 09, 2002
Posts: 294
We found that SSL+basic HTTP authentication work just fine for us. Minimum efforts are required for this approach.

Tough in space?, <a href="" target="_blank" rel="nofollow">Get J2EE servlet container under 150Kbytes here</a><br />Love your iPod and want it anywhere?<a href="" target="_blank" rel="nofollow">Check it here.</a><br /><a href="" target="_blank" rel="nofollow">Curious about generic in Java?</a><br /><a href="" target="_blank" rel="nofollow">Hate ant? Use bee.</a><br /><a href="" target="_blank" rel="nofollow">Need contacts anywhere?</a><br /><a href="" target="_blank" rel="nofollow">How to promote your business with a search engine</a>
I agree. Here's the link:
subject: Securing Web Services
It's not a secret anymore!