Top 10 in 2008
- Hello, OSGi: Bundles for beginners
- Eclipse or NetBeans? IDEs compared
- Is Tomcat enterprise ready?
- IBATIS, Hibernate, and JPA: Which is right for you?
- Merging and branching in Subversion 1.5
- Understanding the Java Persistence API
- Four harmful Java idioms, and how to fix them
- Asynchronous HTTP and Comet architectures
- Introducing Hibernate Search
- Open source Java projects: Java Native Access
5 popular archives:
- Introduction to Java threads (1996)
- Put JSF to work (2004)
- The Maven 2 POM demystified (2006)
- Get started with Hibernate (2004)
- Acegi security in one hour (2007)
All selections are based on page views.
JW hot topic: Tech careers in a slump
Seems like new layoffs are announced every week, projects are dying and software developers are feeling the IT budget squeeze.
Being nervous isn't a crime, but you're better off with information, advice, and a plan.
From the IDG News Network:
Sponsored Links
Secure Web services
The upcoming Web services security schemes should help drive Web services forward
- Feedback
- Discuss
Security is important for any distributed computing environment. But, security is becoming even more important for Web services due to the following reasons:
- The boundary of interaction between communicating partners is expected to expand from intranets to the Internet. For example, businesses increasingly expect to perform some transactions over the Internet with their trading partners using Web services. Obviously, from a security perspective, Internet communication is much less protected than intranet communication.
- Communicating partners are more likely to interact with each other without establishing a business or human relationship first. This means that all security requirements such as authentication, access control, nonrepudiation, data integrity, and privacy must be addressed by the underlying security technology.
- More and more interactions are expected to occur from programs to programs rather than from humans to programs. Therefore, the interaction between communicating partners using Web services is anticipated to be more dynamic and instantaneous.
- Finally, as more and more business functions are exposed as Web services, the sheer number of participants in a Web services environment will be larger than what we have seen in other environments.
Currently, the most common security scheme available for today's Web services is SSL (Secure Socket Layer), which is typically used with HTTP. Despite its popularity, SSL has some limitations when it comes to Web services. Thus, various XML-based security initiatives are in the works to address Web services' unique needs. This article examines those schemes.
SSL limitations
First, SSL is designed to provide point-to-point security, which falls short for Web services because we need end-to-end security, where multiple intermediary nodes could exist between the two endpoints. In a typical Web services environment where XML-based business documents rout through multiple intermediary nodes, it proves difficult for those intermediary nodes to participate in security operations in an integrated fashion.
Second, SSL secures communication at transport level rather than at message level. As a result, messages are protected only while in transit on the wire. For example, sensitive data on your hard disk drive is not generally protected unless you apply a proprietary encryption technology.
Third, HTTPS in its current form does not support nonrepudiation well. Nonrepudiation is critical for business Web services and, for that matter, any business transaction. What is nonrepudiation? Nonrepudiation means that a communicating partner can prove that the other party has performed a particular transaction. For example, if E-Trade received a stock transaction order from one of its clients and performed the transaction on behalf of that client, E-Trade wants to ensure it can prove it completed that transaction to an arbitration committee, for example, if a dispute arises. We need some level of nonrepudiation for Web services-based transactions.
- Feedback
Resources
- Information on XML digital signature
http://www.w3.org/Signature - Information on XML Encryption
http://www.w3.org/Encryption - Information on XKMS
http://www.w3.org/TR/xkms/ - Information on SAML
http://oasis-open.org/committees/security - Information on XACML
http://www.oasis-open.org/committees/xacml/ - Information on WS-Security
http://www.oasis-open.org/committees/wss/ - Information on the Liberty Alliance Project
http://www.projectliberty.org - Sang Shin's Web services programming class
http://www.plurb.com/webservices - Sang Shin's XML class
http://groups.yahoo.com/group/xmlpdffiles/files/index.html - For detailed information on XML Encryption and XML digital signature, see "Yes, You Can Secure Your Web Services Documents," Ray Djajadinata (JavaWorld):
-
- Part 1XML Encryption keeps your XML documents safe and secure (August 2002)
- Part 2XML Signature ensures your XML documents' integrity (October 2002)
- For more articles on Web services, see the following JavaWorld resources
-
- The Java and Web Services section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-webserv-index.shtml - Frank Sommers's Web Services column
http://www.javaworld.com/columns/jw-web-services-index.shtml
- The Java and Web Services section of JavaWorld's Topical Index
- Browse the Security section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-security-index.shtml - Talk more about securing Web services in JavaWorld's Java Security discussion
http://forums.devworld.com/webx?50@@.ee6b80e - Sign up for JavaWorld's free weekly email newsletters
http://www.javaworld.com/subscribe - You'll find a wealth of IT-related articles from our sister publications at IDG.net
Sponsored Links
About Us | Advertise | Contact Us | Terms of Service/Privacy
Copyright, 2006-2008 Network World, Inc. All rights reserved.