I am hoping others in this forum will share their experiences involving securing web services. What I would like to know is your thoughts on industry best practices for securing web services.
I have been asked to look at the different industry approaches. From what I have read SUN, the simplest approach may be using WS-Security standard. This uses XML Signatures and XML encryption and can be placed in the header portion of the SOAP message. On the other hand, the most complicated is using an LDAP server for single sign.
What is our driving forces is the least amount of effort is the best solution as long as security is not compromised.
Thank you in advance for your comments.
Post by:Ulf Dittmer
Security for web services, as elsewhere, is a multi-faceted subject - a process, not a product or technology. A good introduction is this article, which is part of the Axis documentation, but applies in general. I'm not under the impression that best practices have already been shaped. While using servlet security (authentication, SSL) for WS has been around for a while, WS-Security is newer and not as widely used yet. What "the least amount of effort while not compromising security" is, depends on what tradeoffs you're willing to make. For a WS used in an intranet servlet security might be enough (assuming your WS engine is based on servlet technology). It might even be enough for a low-value public service. WS-Security adds an overhead, though not a big one, and it's not hard to set up and use. Of course, there are no standard Java APIs for WS-Security yet, so any package you use works differently. Since you specifically mention LDAP, I'd say that's orthogonal to the kind of security solution you have. It can be used with servlet security, WS-Security, or a roll-your-own solution, just like you may want to use JAAS in conjunction with any of these.
Post by:dema rogatkin
, Ranch Hand
We found that SSL+basic HTTP authentication work just fine for us. Minimum efforts are required for this approach.