This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
I am hoping others in this forum will share their experiences involving securing web services. What I would like to know is your thoughts on industry best practices for securing web services.
I have been asked to look at the different industry approaches. From what I have read SUN, the simplest approach may be using WS-Security standard. This uses XML Signatures and XML encryption and can be placed in the header portion of the SOAP message. On the other hand, the most complicated is using an LDAP server for single sign.
What is our driving forces is the least amount of effort is the best solution as long as security is not compromised.
Security for web services, as elsewhere, is a multi-faceted subject - a process, not a product or technology. A good introduction is this article, which is part of the Axis documentation, but applies in general. I'm not under the impression that best practices have already been shaped. While using servlet security (authentication, SSL) for WS has been around for a while, WS-Security is newer and not as widely used yet. What "the least amount of effort while not compromising security" is, depends on what tradeoffs you're willing to make. For a WS used in an intranet servlet security might be enough (assuming your WS engine is based on servlet technology). It might even be enough for a low-value public service. WS-Security adds an overhead, though not a big one, and it's not hard to set up and use. Of course, there are no standard Java APIs for WS-Security yet, so any package you use works differently. Since you specifically mention LDAP, I'd say that's orthogonal to the kind of security solution you have. It can be used with servlet security, WS-Security, or a roll-your-own solution, just like you may want to use JAAS in conjunction with any of these.
We found that SSL+basic HTTP authentication work just fine for us. Minimum efforts are required for this approach.
Tough in space?, <a href="http://tjws.sf.net" target="_blank" rel="nofollow">Get J2EE servlet container under 150Kbytes here</a><br />Love your iPod and want it anywhere?<a href="http://mediachest.sf.net" target="_blank" rel="nofollow">Check it here.</a><br /><a href="http://7bee.j2ee.us/book/Generics%20in%20JDK%201.5.html" target="_blank" rel="nofollow">Curious about generic in Java?</a><br /><a href="http://7bee.j2ee.us/bee/index-bee.html" target="_blank" rel="nofollow">Hate ant? Use bee.</a><br /><a href="http://7bee.j2ee.us/addressbook/" target="_blank" rel="nofollow">Need contacts anywhere?</a><br /><a href="http://searchdir.sourceforge.net/" target="_blank" rel="nofollow">How to promote your business with a search engine</a>