You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Suzy Fynes <su...@sentenial.ie> on 2004/08/20 11:15:24 UTC
Web Service Security
Hi,
Can anyone tell me the best approach to take for securing a web services
server? Its set up using java and I've been currently looking at
xws-security but it seems to causing more trouble than anything else.
Does anyone know if this is the best approach or is there another
option. At the moment the security level needed would be simply just to
have each client login before accessing the deployed service on server.
Thanks,
Suzy
Re: Web Service Security
Posted by Jim Murphy <jm...@mindreef.com>.
There are 2 fundamental choices:
1. Secure the message at the SOAP layer
2. Secure the channel at the protocol layer
WS-Security is for #1. It means you can perform security related
functions like authentication, signing and privacy(encryption) entirely
by manipulating the XML messages. This makes your security solution
transport independent and also makes it possible for secure delivery of
messages that span multiple intermediary servers. These solutions tend
to be a little more complicated since the specs/toolkit implementations
are "new-ish" they may not interoperate, perform well or even work. It
is the direction we are going but be prepared to learn more about
security than you ever wanted to. :)
Option #2 is the most expedient and popular approach these days. You
send messages in clear text and secure the underlying protocol by using
https for example. This has certain advantage too, not the least of
which is familiarity and reliability. This disadvantages are the
advantages of approach #1. Using HTTP basic authentication over https
is a very reasonable solution given what you mentioned about your needs.
Hope that helps,
Jim Murphy
Mindreef, Inc.
Suzy Fynes wrote:
> Hi,
>
> Can anyone tell me the best approach to take for securing a web services
> server? Its set up using java and I’ve been currently looking at
> xws-security but it seems to causing more trouble than anything else.
> Does anyone know if this is the best approach or is there another
> option. At the moment the security level needed would be simply just to
> have each client login before accessing the deployed service on server.
> Thanks,
> Suzy
RE: Web Service Security
Posted by Bhuvan <bh...@fiorano.com>.
Hi Suzy,
You would need the support of Basic Authentication in your webservice.
Please refer to following links to get the information on how to enable
basic authentication in AXIS.
http://www.mail-archive.com/axis-user@xml.apache.org/msg04657.html
http://www-106.ibm.com/developerworks/webservices/library/ws-sec1.html
http://www.informit.com/articles/article.asp?p=24600
<http://www.samspublishing.com/articles/article.asp?p=24600>
Thanks
Bhuvan
_____
From: Suzy Fynes [mailto:suzanne.fynes@sentenial.ie]
Sent: Friday, August 20, 2004 2:45 PM
To: axis-user@ws.apache.org
Subject: Web Service Security
Hi,
Can anyone tell me the best approach to take for securing a web services
server? Its set up using java and I've been currently looking at
xws-security but it seems to causing more trouble than anything else. Does
anyone know if this is the best approach or is there another option. At the
moment the security level needed would be simply just to have each client
login before accessing the deployed service on server.
Thanks,
Suzy
Fiorano MailServer All incoming and outgoing mails are scanned for Virus
http://www.fiorano.com