Security and authorization is a hot topic with Web
Services. In fact, security and authorization specifications are currently in
flux. This is often the reason cited for not proceeding with any work related to Web Services.
Nevertheless, the fact that these specifications are in flux should not hold you back from experimenting with Web Services.
Much can be done without having the specifications complete. Nearly all organizations should be able to find some areas to experiment with Web Services that have low requirements for security and authorization.
In fact, Chapter 7 of Web
Services and Service-Oriented Architectures: The Savvy Manager's Guide discusses the stages of adoption for Web Services. The first four of the five stages do not require much security and authorization because they involve internal systems.
Security and authorization specifications described on this site are listed below. You can also
navigate among the specifications by using the menu tree at the bottom of each page.
Specialized XML firewalls offer the promise of protecting internal systems when using Web Services. Traditional firewalls offer protection at the packet level and do not examine the contents of messages. XML firewalls, on the other hand, examine the contents of messages. This includes the SOAP headers and the XML content. They are designed to permit authorized content to pass through the firewall.
For a listing of XML firewall products, click
here.
XACML -- A No-Nonsense Developer's Guide Integration Developers, CA - Apr 10, 2008 BEA's Lockhart pointed to another possibility, enabled by the combination of SAML and XACML. "A lightweight, or possibly Open Source, policy enforcement ...
Telecoms sector "to optimize SOA" Integration Developers, CA - May 6, 2008 Last month, the Oasis consortium demonstrated the interoperability of the eXtensible Access Control Markup Language (XACML) version 2.0.
How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD by Mike Andrews, James A. Whittaker Average Customer Review: based on 11 reviews. Customer Review: If your company has a web site, there are many people waiting to attack it and break into it. In How to Break Web Software: Functional and Security Testing of Web Applications and Web Services, authors Mike Andrews and James Whittaker detail the myriad Web software exploits that attackers will attempt to carry out. The tools and tec...
Core Security Patterns: Best Practices and Strategies for J2EE(TM), Web Services, and Identity Management (Core Series) by Christopher Steel, Ramesh Nagappan, Ray Lai Average Customer Review: based on 32 reviews. Customer Review: This is a great book - by far the best security design book for Java and J2EE (including Java SE 6 and Java EE 5) I have read to date. When I first heard about my coworkers talking about this book, I thought "oh great, another J2EE book!" Much to my surprise, this book is not just a how-to security API or patterns recipe book but mu...
Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption by Jothy Rosenberg, David Remy Average Customer Review: based on 13 reviews. Customer Review: This book is a good introduction to the application of security to Web Services and SOA. The authors focus on "message level" security versus "transport level" security, and its application to Web Services. The book explains standards: WS-Security, WS-Policy, WS-SecurePolicy and other current standards at the time of publishing (200...
Web Services Security by Mark O'Neill Average Customer Review: based on 9 reviews. Customer Review: This is *the* book to date on the topic. I particularly like the blend of strategy and practice that Mark and the others have achieved. They've managed to get straight to the point: The best way to secure web services today is through XML Signature, XML Encryption, SAML, and WS-Security, and this book explains how those technologies ...
based on 11 reviews.
based on 13 reviews.
based on 9 reviews.
based on 1 review.
