Originally posted by Hari Vignesh Padmanaban:
Should security be taken into consideration in web services? Does your book cover that ?
IMHO, end-to-end security should be considered in any applications, including web services. My book ch 7 discusses an end-to-end framework, some design strategies and some health-checklist for web services objects.
Typically, HTTPS protects client-to-server connection. XML encryption and digital signature will ensure data confidentiality and integrity at the message level. There are a heap of security protection mechanisms need to be in place to protect from message replay, message insertion, denial of attack, etc, which are outside the scope of WS-Security. For example, Liberty is a good single sign-on and authentication mechanism.
Here's the catch - many security book introduces the alphabets of WS-security, XML encryption, XKMS, etc. Readers need to put these technologies in the context of real life applications, and the different threats/risks exposed today. They really need a systematic methodology and scenarios.
I'm working with 2 other security gurus on a second book on
J2EE and web services security
patterns. We've introduced a factor analysis, and a comprehensive health checklist. You can refer to
www.coresecuritypatterns.com. The book should be available by fall 2004.