Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management
Topics in This Chapter
The emergence of Web services introduced us to a new paradigm for enabling exchange of information across the Internet using open industry-standards and standards-based technologies. Adopting Web services and adhering to its standards facilitate building service-oriented and on-demand applications that can be discovered, subscribed to, and consumed over the Internet. The clients invoking these services do not need to be aware of their target service provider system environment or its underlying implementation model. Due to the flexibility of using platform-neutral standards, such as XML and adopting Internet-based protocols, Web services allow exposing application components such as services and making them available for access by any application, any platform, or any deviceat any location. Web services enable services integration between the applications via interoperability and allow application-to-application communication for business collaboration and business process management across the Internet. With the increasing adoption, acceptance, and availability of Web services application infrastructure tools, Web services promise a new services industry that provides business services over the Internet. Applying security and establishing trust among Web services or between a Web service and its consumer has caused new challenges, some of which remain unaddressed by traditional security methods and technologies. Because Web services can be dynamically located, subscribed to, and consumed using a wide range of platforms, including handheld devices, the Web services provider must facilitate a standardized security mechanism that can be accessed by the service requesters using heterogeneous platforms and devices. For example, patients viewing their medical records via Web services should not be constrained or impacted by whether they are using a Web browser client, a browser-capable device, or a stand-alone application as long as the service requester client on which patients view records is able to use the required message transport and apply relevant security mechanisms with the Web service provider. Building a comprehensive security model for Web services requires the integration of currently available security technologies with the evolving set of XML security standards and technologies. This security model is an amalgamation of standards and technologies relevant to Web services security (such as message-level and transport-layer security) with application-specific security processes (such as authentication, access control, rules, and trust). Ensuring the integrity, confidentiality, and security of a Web service by applying a standards-based end-to-end security model from the ground up becomes important for both the Web services providers and their consumers. In this chapter, we conduct an in-depth study of the architecture, the security threats and vulnerabilities, the security requirements, and the evolving standards for Web services that contribute to building end-to-end security in Web services. We also introduce the Java-based Web services infrastructure providers and their support to these evolving standards. |
Категории