Chapter 6. Web Services Security

Security for web services covers a lot of territory, which cannot be explored all at once. To make the exploration more manageable, it seems best to analyze small chunks, one at a time, before pulling the exploration results together. Here is a sketch of how this chapter breaks up the broad topic of security into smaller pieces:

Wire-level security
Security begins at the transport or wire level with basic protocols that govern communications between a web service, whether SOAP-based or REST-style, and its clients. Security at this level typically provides three services. First, the client and service need transport-level assurance that each is communicating with the other rather than with some impostor. Second, the data sent from one side to the other need to be encrypted strongly enough so that an interceptor cannot decrypt the data and thus gain access to the confidential information carried therein. Third, each side needs assurance that the received message is the same as the sent message. This chapter covers the basics of wire-level security with code examples, most of which focus on HTTPS as a provider of wire-level security.
User authentication and authorization
Web services provide clients with access to resources. If a resource is secured, then a client needs the appropriate credentials to gain access. The credentials are presented and verified through a process that usually has two phases. In the first phase, a client (user) presents ...

Get Java Web Services: Up and Running, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.