4

My first post here! I wanted to get some community help on security of web services.

I'm doing a state of the art on web services security. I need every bit of a solution out there that solves concerns about identification, access control, transmission related ones like data integrity, protection, non repudiation..

So I fetched some real world solution to fill those needs, I found those for SOAP based web services:

  • Identification: WS-Security Framework
  • Authentication: Extensible Access Control Markup Language (XACML)
  • Authorization
    • Extensible Rights Markup Language (XrML)
    • XML Key Management (XKMS)
    • Security Assertion Markup Language (SAML)
    • .NET Passport
  • Confidentialité
    • WS-Security Framework
    • XML-Encryption
    • Secure Sockets Layer (SSL)
    • WSS

And almost all of them are implementable using spring-security

On the other hand RESTful web services having the reputation to be less secure. Being based on the web SSL/TLS is a great solution for encryption, but other security protocols do exist like:

  • OAuth: used by facebook, twitter, without tokens exchange
  • OpenID: used by google
  • CAS
  • LDAP, Kerberos
  • Persona, BrowerID

Another solution may be to integrate the security in the enterprise bus as a service (Security as a Service)..

So my question is : Are there any other solutions i should know about? is there any other frameworks?

Thanks a lot

Oussama L.
  • 1,842
  • 6
  • 25
  • 31
  • a previous post should help you http://stackoverflow.com/questions/853620/secure-web-services-rest-over-https-vs-soap-ws-security-which-is-better – AurA May 03 '13 at 16:13

2 Answers2

4

Just adding one point is that regarding restful webservices developers can use the security providing by the tomcat servlet container. This can be accomplished by the configuration of realm in server.xml and tomcat-users.xml. Details of configuration here ->http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html

And best suitable can go for form based authentication. ref : http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html?page=2

Shams
  • 557
  • 8
  • 15
1

If you want more control over the security of REST Web services then you can think about implementing your own authentication and RBAC(Role based access control). Simply take username and password with every request in header over HTTPS and implement the RBAC on your REST Webservice layer. You can basically add Servlet filters to do the authentication and authorization before the request is actually handed over to the Web service.

Choice is yours, there are obviously different security frameworks available but you have to chose what meets the best for your requirement.

Juned Ahsan
  • 67,789
  • 12
  • 98
  • 136