This week's book giveaway is in the Design forum.
We're giving away four copies of Building Microservices and have Sam Newman on-line!
See this thread for details.
The moose likes Web Services and the fly likes Security Question: Web Service using VPN Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Building Microservices this week in the Design forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Security Question: Web Service using VPN" Watch "Security Question: Web Service using VPN" New topic

Security Question: Web Service using VPN

Sara Bento

Joined: Apr 29, 2012
Posts: 2

I am planning to develop a web service available to our customers. Our customers are connected via vpn. The web service will handling highly sensitive information.

Now I am wondering if I have to implement message level security in addition to vpn?!?

Many thanks in advance,
William Brogden
Author and all-around good cowpoke

Joined: Mar 22, 2000
Posts: 13005
If you have more than one customer on the VPN and you don't add WS-* security such as authentication, wouldn't you worry about customers being able to see other customer information?

Sara Bento

Joined: Apr 29, 2012
Posts: 2
Thank you for your fast reply!!

I'm not sure…

In the following, a few more details: We have a central authentication/authorization system. One of our most important applications is integrated (applet) into many other in-house applications. When a user wants to open the applet, the application which integrates the applet calls the central authentication/authorization system to authenticate the user.

Now, the applet should be integrated into an application hosted by one of our customers. So our central authentication/authorization system should provide a web service. As I mentioned, all our customers are connected via vpn. And of course it is possible, that other customers want to use the web service too…..

Sorry, if I have expressed myself too complicated and also for my poor English. I'm very new to all this stuff, but willing to learn:-)

Thank you very much in advance,
Roger Sterling
Ranch Hand

Joined: Apr 06, 2012
Posts: 426

Sara - what you need is something called RBAC (Role-based Access Control). This allows only the principles to see their own information and not the others.
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link:
subject: Security Question: Web Service using VPN
It's not a secret anymore!