Chapter 5. Web Services Security
Overview of Web Services Security
Web services security covers a lot of territory, which cannot be explored all at once. The territory is sufficiently broad that it needs to be divided into smaller, more manageable chunks. Here is a sketch of how this chapter and the next cover this territory:
- Wire-level security
Security begins at the transport or wire level; that is, with basic protocols that govern communications between a web service, whether SOAP-based or REST-style, and its clients. Security at this level typically provides three services. First, the client and service need transport-level assurance that each is communicating with the other rather than with some impostor. Second, the data sent from one side to the other needs to be encrypted strongly enough so that an interceptor cannot decrypt the data and thus gain access to the secrets carried therein. Third, each side needs assurance that the received message is the same as the sent message. This chapter covers the basics of wire-level security with code examples.
- User authentication and authorization
Web services provide clients with access to resources. If a resource is secured, then a client needs the appropriate credentials to gain access. The credentials are presented and verified through a process that usually has two phases. In the first phase, a client (user) presents information such as a username together with a credential such as a password. If the credential is not accepted, access ...
Get Java Web Services: Up and Running now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.