Mr. Lai, Hi was curious what your opinion is on how secure web services are. If they are publicly accessible, can this public access ever become a problem in the future? What are your experiences with this topic? Would be interesting to hear it from someone with alot of web service knowledge. Thanks, Dave Knipp
SCJP 1.4, SCJD 1.4, SCWCD 1.3, SCBCD 1.3, IBM Certified Solution Developer -WebSphere Studio V5.0
Originally posted by Dave Knipp: If they are publicly accessible, can this public access ever become a problem in the future? What are your experiences with this topic?
Many web services in production are private, i.e. you can't access directly from public internet. Even if you can, they use tight encryption (e.g. HTTPS and XML encryption) and authentication mechanism. Majority of early adopters tend to use HTTPS in general. Anyway, there was no WS-Security 2-3 years ago - no standard way to protect SOAP messages; HTTPS appeared to be sufficient for RPC calls. There are also some web services in production available in public internet. The examples cited in public include ASU, Jarna, Adobe, Comvia, POSC, TCPL, etc. My book ch 2 section 2.5 provides some details. I'm aware that some financial services using web services are typically using HTTPS, but some of them use web services for server-side processing to aggregate account information from the back-end, without allowing the client-side to invoke the services directly. It's difficult to conclude whether this "first-generation" web services security is secure, because end-to-end security spans across different layers and technology stacks. Early generations of web services use HTTPS and XML encryption, which covers client-to-server interaction, and message-level protection. But they are not necessarily sufficient, as there are many risk areas behind the DMZ firewall, and between service components. For instance, message replay can be hazardous even though you have HTTPS and XML encryption. It's true that when more web services are available in public, the security risk will increase as they become more accessible to hackers. However, provided that architects / developers have strong apps security design to cover all layers and stacks, I'm confident that it is still safe and secure to provide public web services. For instance, Liberty provides a good security framework for single signon and authentication services. This will be a strong component to building end-to-end web services security. Many customers I met today seem to be happy with web services security using HTTPS and XML encryption. Some are still awaiting for the final WS-Security or any market standard to be finalized. Most of them are fully aware of the need for stronger end-to-end security. But some thought HTTPS and XML encryption are just fine. IMHO, as the public are getting more awareness of what web services are, their awareness and demand for end-to-end web services security will increase.
Free chapter summary/binaries of J2EE Platform Web Services can be found at <a href="http://authors.phptr.com/lai/." target="_blank" rel="nofollow">http://authors.phptr.com/lai/.</a><br />Get your copy from <a href="http://www.amazon.com." target="_blank" rel="nofollow">www.amazon.com.</a>
Creativity is allowing yourself to make mistakes; art is knowing which ones to keep. Keep this tiny ad: