Web Service Security

[Suzy Fynes <su...@sentenial.ie>]

Hi,
 
Can anyone tell me the best approach to take for securing a web services
server? Its set up using java and I've been currently looking at
xws-security but it seems to causing more trouble than anything else.
Does anyone know if this is the best approach or is there another
option. At the moment the security level needed would be simply just to
have each client login before accessing the deployed service on server.
 
 
Thanks,
Suzy

Re: Web Service Security

[Jim Murphy <jm...@mindreef.com>]

There are 2 fundamental choices:

1.  Secure the message at the SOAP layer
2.  Secure the channel at the protocol layer

WS-Security is for #1.  It means you can perform security related 
functions like authentication, signing and privacy(encryption) entirely 
by manipulating the XML messages.  This makes your security solution 
transport independent and also makes it possible for secure delivery of 
messages that span multiple intermediary servers.  These solutions tend 
to be a little more complicated since the specs/toolkit implementations 
are "new-ish" they may not interoperate, perform well or even work. It 
is the direction we are going but be prepared to learn more about 
security than you ever wanted to. :)

Option #2 is the most expedient and popular approach these days.  You 
send messages in clear text and secure the underlying protocol by using 
https for example.  This has certain advantage too, not the least of 
which is familiarity and reliability.  This disadvantages are the 
advantages of approach #1.  Using HTTP basic authentication over https 
is a very reasonable solution given what you mentioned about your needs.

Hope that helps,

Jim Murphy
Mindreef, Inc.



Suzy Fynes wrote:

> Hi,
> 
> Can anyone tell me the best approach to take for securing a web services 
> server? Its set up using java and I’ve been currently looking at 
> xws-security but it seems to causing more trouble than anything else. 
> Does anyone know if this is the best approach or is there another 
> option. At the moment the security level needed would be simply just to 
> have each client login before accessing the deployed service on server.

> Thanks,
> Suzy

RE: Web Service Security

[Bhuvan <bh...@fiorano.com>]

Hi Suzy, 
 
You would need the support of Basic Authentication in your webservice. 
 
Please refer to following links to get the information on how to enable
basic authentication in AXIS. 
 
http://www.mail-archive.com/axis-user@xml.apache.org/msg04657.html
http://www-106.ibm.com/developerworks/webservices/library/ws-sec1.html
http://www.informit.com/articles/article.asp?p=24600
<http://www.samspublishing.com/articles/article.asp?p=24600> 
 
Thanks
Bhuvan

  _____  

From: Suzy Fynes [mailto:suzanne.fynes@sentenial.ie] 
Sent: Friday, August 20, 2004 2:45 PM
To: axis-user@ws.apache.org
Subject: Web Service Security


Hi,
 
Can anyone tell me the best approach to take for securing a web services
server? Its set up using java and I've been currently looking at
xws-security but it seems to causing more trouble than anything else. Does
anyone know if this is the best approach or is there another option. At the
moment the security level needed would be simply just to have each client
login before accessing the deployed service on server.
 
 
Thanks,
Suzy
Fiorano MailServer All incoming and outgoing mails are scanned for Virus
http://www.fiorano.com