You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-dev@ws.apache.org by Miguel Perez <mi...@epicentric.com> on 2002/07/11 18:42:39 UTC
Security in Web Services?
How is security normally implemented when dealing with web services? I know
the connection from the client to the server can be sent over HTTPS.
However, how do tools like Single Sign-On tools come in to play. Can cookies
be passed from the client to the server? Where can I get more information
regarding the standardization of a security layer to web services.
Miguel
Re: Security in Web Services?
Posted by Scott Nichol <sn...@scottnichol.com>.
For info on what I would consider the emerging standard, do a Google search
on WS-Security.
Today, there is a lot of hand-rolling security, usually SSL for privacy
combined with one of three authentication types (1) HTTP Basic auth (which
you can deal with in a J2EE-standard way), (2) SSL client certificates
(great for B2B) and (3) custom application code, which may or may not hook
into SSO.
Cookies can be passed. The ability to manipulate the cookies from the
client code was just added to CVS yesterday, I believe.
Scott Nichol
----- Original Message -----
From: "Miguel Perez" <mi...@epicentric.com>
To: <so...@xml.apache.org>
Sent: Thursday, July 11, 2002 12:42 PM
Subject: Security in Web Services?
> How is security normally implemented when dealing with web services? I
know
> the connection from the client to the server can be sent over HTTPS.
> However, how do tools like Single Sign-On tools come in to play. Can
cookies
> be passed from the client to the server? Where can I get more information
> regarding the standardization of a security layer to web services.
>
> Miguel
>
Re: Security in Web Services?
Posted by Scott Nichol <sn...@scottnichol.com>.
For info on what I would consider the emerging standard, do a Google search
on WS-Security.
Today, there is a lot of hand-rolling security, usually SSL for privacy
combined with one of three authentication types (1) HTTP Basic auth (which
you can deal with in a J2EE-standard way), (2) SSL client certificates
(great for B2B) and (3) custom application code, which may or may not hook
into SSO.
Cookies can be passed. The ability to manipulate the cookies from the
client code was just added to CVS yesterday, I believe.
Scott Nichol
----- Original Message -----
From: "Miguel Perez" <mi...@epicentric.com>
To: <so...@xml.apache.org>
Sent: Thursday, July 11, 2002 12:42 PM
Subject: Security in Web Services?
> How is security normally implemented when dealing with web services? I
know
> the connection from the client to the server can be sent over HTTPS.
> However, how do tools like Single Sign-On tools come in to play. Can
cookies
> be passed from the client to the server? Where can I get more information
> regarding the standardization of a security layer to web services.
>
> Miguel
>
--
To unsubscribe, e-mail: <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>