aspose file tools*
The moose likes Web Services and the fly likes WS-Security verses SSL and mutual authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "WS-Security verses SSL and mutual authentication" Watch "WS-Security verses SSL and mutual authentication" New topic
Author

WS-Security verses SSL and mutual authentication

Luke Murphy
Ranch Hand

Joined: May 12, 2010
Posts: 300
You are given a requirement that a web service has to be secure and confidential.
You have a choice WS-Security or SSL with mutual authentication. What do you pick and why?

Thanks.,
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42950
    
  72
WSS, for a couple of reasons:
  • Transport-level security (like HTTPS) ends the moment the message arrives at the web server, whereas message-level security (like WSS) is in effect until the moment a message has to be in cleartext. That means a SOAP message can be routed around a network securely until it reaches its final destination; that's generally not possible with HTTPS.
  • SOAP over HTTP has taken a dive in popularity in favor of REST (ignoring for a moment that the existence of WSS is one area where WS-* still shines in comparison). But SOAP can be used over other transports -messaging, SMTP, etc.- and WSS still works in those cases; SSL doesn't. Better to keep architectural options available, unless there's a compelling reason not to.
  • Shankar Tanikella
    Ranch Hand

    Joined: Jan 30, 2011
    Posts: 329

    If i design, shall go for both, WSS for message level to avaoid so called "Man In the Middle Attack" and 2 way SSL for business level trust. Since SSL also implies trust b/w partners (a handshake) and moreover it is no more difficult to implement it in terms of development perspective using any ws engine.


    Have Fun with Java
    little,little.. little by little makes a lot..
    Ulf Dittmer
    Marshal

    Joined: Mar 22, 2005
    Posts: 42950
        
      72
    If i design, shall go for both, WSS for message level to avaoid so called "Man In the Middle Attack" and 2 way SSL for business level trust.

    That doesn't buy you much (or anything) that WSS alone (encryption + signature) doesn't also provide.
    Luke Murphy
    Ranch Hand

    Joined: May 12, 2010
    Posts: 300
    Ulf Dittmer wrote:
    If i design, shall go for both, WSS for message level to avaoid so called "Man In the Middle Attack" and 2 way SSL for business level trust.

    That doesn't buy you much (or anything) that WSS alone (encryption + signature) doesn't also provide.


    Brilliant answers!
    Shankar Tanikella
    Ranch Hand

    Joined: Jan 30, 2011
    Posts: 329

    Good, agree with Ufl, one should also consider the business scenarios and architecture setup. For example, I have a web application which has several layers of security (Network level, the system architecture). All requests to web application requires a hand shake and it is not a good idea for bypassing the SSL by any means just for exposed services, or is it? One should also consider that the importance of person - machine(server) and organization - machine communication, shouldn’t we .

    I am really confused now... need to do lot of homework
    Anyways, these are just my thoughts
    Ulf Dittmer
    Marshal

    Joined: Mar 22, 2005
    Posts: 42950
        
      72
    Shankar Tanikella wrote:All requests to web application requires a hand shake and it is not a good idea for bypassing the SSL by any means just for exposed services, or is it?

    What is appropriate for a web app -which is accessed by humans, manually, using a browser- is not necessarily the same as what is appropriate for web services (which generally get accessed by machines programmatically). If the web service uses proper security mechanisms, I don't see that you'd be "bypassing" anything.

    One should also consider that the importance of person - machine(server) and organization - machine communication, shouldn’t we

    Not sure what you mean by "importance" in this context. You should evaluate what attack scenarios are likely, how bad their effect might be, determine the policies to guard against that, and then put in place mechanisms that implement these policies. Since you mention that you're prepared to learn, you might start with this book.
    Shankar Tanikella
    Ranch Hand

    Joined: Jan 30, 2011
    Posts: 329

    Thanks for your inputs, i completely agree and clear with the approach of identifying the threats and then evaluating the anti-threat mechanisms.
    nevertheless, what i meant previously (my perspective) was about the public (one can say everything is public in terms of web services , its open to everyone) services and private ones.
    For example, services between two banks and service between person and a bank and may be even consider services between different branches of the same bank.
    Should i break the current level of security for just web services? or shouldn't I... and more questions i ask myself now . Security is always a hot topic anywhere. Anyways, I shall think over and correct myself and fill few blanks.

    However, is there any good book for which you are familiar with regarding designing, tips, tricks, pit falls, how to go abouts related to web services.
    And again thanks for help.

    Kumar Raja
    Ranch Hand

    Joined: Mar 18, 2010
    Posts: 530
        
        2

    If we go with SSL and if the WS setup has several intermediaries, with SSL, none of those intermediaries would be able to access the SOAP request/response as everything is encrypted at transport level. May be in that case, implementing WS-Security using XML Encryption and XML Signature should be sufficent and appropriate. But we do not have intermediaries, then adding SSL would be an additional level of sercurity at transport level in addition to message level. Would any one contradict this ?


    Regards
    KumarRaja

    Ulf Dittmer
    Marshal

    Joined: Mar 22, 2005
    Posts: 42950
        
      72
    Should i break the current level of security for just web services?

    No, you should not. But you should use security mechanisms that are appropriate, and SSL is not the best way to secure web services. There are better approaches that are just as secure, and provide other benefits to boot - see my first post in this thread.
    Ulf Dittmer
    Marshal

    Joined: Mar 22, 2005
    Posts: 42950
        
      72
    Kumar Raja wrote:But we do not have intermediaries, then adding SSL would be an additional level of sercurity at transport level in addition to message level. Would any one contradict this ?

    Only in the sense that encrypting data repeatedly provides more security than encrypting it once. That means you're not trusting the encryption in the first place, which can mean one of two things: you don't trust the algorithm and think it's breakable, or you don't trust one of the two parties to keep their keys or certificates secure. Either scenario means you don't have a working, secure system, and adding more layers of encryption doesn't change that. So, yes - I am contradicting that.
     
    It is sorta covered in the JavaRanch Style Guide.
     
    subject: WS-Security verses SSL and mutual authentication