When you plan to secure your web services, first you need to understand the exact security requirements. If you do not care about providing message level security, you can easily use the transport layer security. As an example web services over HTTPS.
If you do care, to protect messages even after the transit, or you have multiple intermediaries that need to be involved in the message delivery process, you need to go for the message level security.
Alternatively you may use both these together. For example you might use the transport layer security provide the confidentiality while using message level security for authentication purposes.
Apart from understanding the basic standards such as XML Encryption, XML Signature, Keys management in SOAP message security, you need to understand how to configure the security features.
The common standard for this in web services is to follow WS-Policy and WS-Security Policy specifications. These two specifications defined the behavior model for web services. For example whether the message need to be encrypted, signed, what type of tokens to be included in the security header etc. Also a requirement for one service may not be valid for another. Thus defining service specific requirements might be necessary.
Friday, December 07, 2007
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment